SSL PHP Server Key and Certificate generation: Difference between revisions

m
Reverted edits by Upazixorys (Talk); changed back to last version by Ric
No edit summary
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric)
 
Line 1: Line 1:
=[http://itubibygucy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
'''''Server key and certificate generation revisited.'''''
'''''Server key and certificate generation revisited.'''''
== Introduction ==
== Introduction ==
Line 18: Line 17:
   
   
{|
{|
|-valign="top"
|-valign="top"
|'''Run.bat'''|| ||'''cert.php'''
|'''Run.bat'''|| ||'''cert.php'''
|-valign="top"
|-valign="top"
|<pre>
|<pre>
TITLE UNIFORM SERVER - Certificate and Key generator  
TITLE UNIFORM SERVER - Certificate and Key generator  
COLOR B0
COLOR B0
Line 28: Line 27:
..\..\usr\local\php\php.exe -c ..\..\usr\local\php\php-cli.ini  gen.php
..\..\usr\local\php\php.exe -c ..\..\usr\local\php\php-cli.ini  gen.php
pause
pause
&lt;/pre&gt;
</pre>
|&amp;nbsp;
|&nbsp;
|&lt;pre&gt;
|<pre>
&lt;?php
<?php
print &quot;\ntest\n&quot;;
print "\ntest\n";
?&gt;
?>
&lt;/pre&gt;
</pre>
|}
|}
Double click Run.bat runs script cert.php it produces nothing spectacular other than to display test. It proves you have a working set-up for this tutorial.
Double click Run.bat runs script cert.php it produces nothing spectacular other than to display test. It proves you have a working set-up for this tutorial.
Line 56: Line 55:
Press any key to continue . . .
Press any key to continue . . .
|
|
&lt;pre&gt;
<pre>
&lt;?php
<?php
print &quot;\ntest\n&quot;;
print "\ntest\n";
//=== Generate a new private (and public) key pair
//=== Generate a new private (and public) key pair
$privkey = openssl_pkey_new();
$privkey = openssl_pkey_new();
?&gt;
?>
&lt;/pre&gt;
</pre>
|-valign=&quot;top&quot;
|-valign="top"
|
|
Function openssl_pkey_new() is defined in the openssl library. Problem is extension php_openssl.dll is not being loaded because its not configured in configuration file php-cli.ini
Function openssl_pkey_new() is defined in the openssl library. Problem is extension php_openssl.dll is not being loaded because its not configured in configuration file php-cli.ini
Line 73: Line 72:
Run (Run.bat) script again this time there will be no errors.
Run (Run.bat) script again this time there will be no errors.
|
|
&lt;pre&gt;
<pre>
[PHP]
[PHP]
extension=php_curl.dll
extension=php_curl.dll
Line 79: Line 78:
extension=php_openssl.dll
extension=php_openssl.dll


extension_dir = &quot;./extensions&quot;
extension_dir = "./extensions"
error_reporting = E_ALL | E_STRICT
error_reporting = E_ALL | E_STRICT
date.timezone = &quot;Europe/London&quot;
date.timezone = "Europe/London"
&lt;/pre&gt;
</pre>
|}
|}
'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 88: Line 87:
=== Openssl configuration ===
=== Openssl configuration ===
{|
{|
|-valign=&quot;top&quot;
|-valign="top"
|
|
The above line creates private and public keys used in other function.
The above line creates private and public keys used in other function.
Line 106: Line 105:


Reading the manual you will find  
Reading the manual you will find  
&lt;pre&gt;
<pre>
Note: You need to have a valid openssl.cnf
Note: You need to have a valid openssl.cnf
installed for this function to operate correctly.
installed for this function to operate correctly.
&lt;/pre&gt;
</pre>
Most functions use this file; trouble is it cannot be found. Path assumed to be either defined by OPENSSL_CONF or SSLEAY_CONF environmental variables or on the default path c:\usr\local\ssl.
Most functions use this file; trouble is it cannot be found. Path assumed to be either defined by OPENSSL_CONF or SSLEAY_CONF environmental variables or on the default path c:\usr\local\ssl.
|
|
&lt;pre&gt;
<pre>
&lt;?php
<?php
print &quot;\ntest\n&quot;;
print "\ntest\n";
//=== Generate a new private (and public) key pair
//=== Generate a new private (and public) key pair
$privkey = openssl_pkey_new();
$privkey = openssl_pkey_new();
Line 120: Line 119:
//=== Create data array for certificate information
//=== Create data array for certificate information
$dn = array(
$dn = array(
   &quot;countryName&quot;           =&gt; &quot;UK&quot;,
   "countryName"           => "UK",
   &quot;stateOrProvinceName&quot;   =&gt; &quot;Cambridge&quot;,
   "stateOrProvinceName"   => "Cambridge",
   &quot;localityName&quot;           =&gt; &quot;Cambs&quot;,
   "localityName"           => "Cambs",
   &quot;organizationName&quot;       =&gt; &quot;UniServer&quot;,
   "organizationName"       => "UniServer",
   &quot;organizationalUnitName&quot; =&gt; &quot;Demo&quot;,
   "organizationalUnitName" => "Demo",
   &quot;commonName&quot;             =&gt; &quot;localhost&quot;,
   "commonName"             => "localhost",
   &quot;emailAddress&quot;           =&gt; &quot;me@example.com&quot;
   "emailAddress"           => "me@example.com"
);
);


Line 133: Line 132:


//== Create a self-signed certificate valid for 365 days
//== Create a self-signed certificate valid for 365 days
$sscert = openssl_csr_sign($csr, &quot;my secret&quot;, $privkey, 365);
$sscert = openssl_csr_sign($csr, "my secret", $privkey, 365);


?&gt;
?>
&lt;/pre&gt;
</pre>
|}
|}
Uniform Server is portable hence the above default path is not applicable. Using environmental variables is not always a predictable solution.     
Uniform Server is portable hence the above default path is not applicable. Using environmental variables is not always a predictable solution.     
Line 153: Line 152:
|-
|-
|
|
&lt;pre&gt;
<pre>
#######################################################################
#######################################################################
# File name: openssl.cnf
# File name: openssl.cnf
Line 195: Line 194:
keyUsage                = digitalSignature, keyEncipherment
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
extendedKeyUsage        = serverAuth, nsSGC, msSGC
nsComment              = &quot;OpenSSL Certificate for SSL Web Server&quot;
nsComment              = "OpenSSL Certificate for SSL Web Server"


[ v3_req ]
[ v3_req ]
Line 206: Line 205:
keyUsage                = cRLSign, keyCertSign
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
extendedKeyUsage        = serverAuth, clientAuth
nsComment              = &quot;OpenSSL CA Certificate&quot;
nsComment              = "OpenSSL CA Certificate"
&lt;/pre&gt;
</pre>
|}
|}


Line 220: Line 219:


We are interested only in defining a path to our configuration file. First absolute path is calculated and assigned to key.
We are interested only in defining a path to our configuration file. First absolute path is calculated and assigned to key.
&lt;pre&gt;
<pre>
//== Determine path
//== Determine path
$ssl_path = getcwd();
$ssl_path = getcwd();
Line 227: Line 226:
//== Create a configuration array containing path to openssl.cnf  
//== Create a configuration array containing path to openssl.cnf  
$config = array(
$config = array(
&quot;config&quot; =&gt; &quot;$ssl_path/openssl.cnf&quot;
"config" => "$ssl_path/openssl.cnf"
);
);
&lt;/pre&gt;
</pre>


'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 239: Line 238:
|-
|-
|
|
&lt;pre&gt;
<pre>
//=== Create data array for certificate information
//=== Create data array for certificate information
$dn = array(
$dn = array(
   &quot;countryName&quot;           =&gt; &quot;UK&quot;,
   "countryName"           => "UK",
   &quot;stateOrProvinceName&quot;   =&gt; &quot;Cambridge&quot;,
   "stateOrProvinceName"   => "Cambridge",
   &quot;localityName&quot;           =&gt; &quot;Cambs&quot;,
   "localityName"           => "Cambs",
   &quot;organizationName&quot;       =&gt; &quot;UniServer&quot;,
   "organizationName"       => "UniServer",
   &quot;organizationalUnitName&quot; =&gt; &quot;Demo&quot;,
   "organizationalUnitName" => "Demo",
   &quot;commonName&quot;             =&gt; &quot;localhost&quot;,
   "commonName"             => "localhost",
   &quot;emailAddress&quot;           =&gt; &quot;me@example.com&quot;
   "emailAddress"           => "me@example.com"
);
);
&lt;/pre&gt;
</pre>
'''''Note'':''' Common name for a real signed certificate would be what a user would type into a browser e.g '''www.fred.com'''
'''''Note'':''' Common name for a real signed certificate would be what a user would type into a browser e.g '''www.fred.com'''


Line 256: Line 255:
=== Function openssl_pkey_new ===
=== Function openssl_pkey_new ===
Function openssl_pkey_new() generates a new private and public key pair.
Function openssl_pkey_new() generates a new private and public key pair.
&lt;pre&gt;
<pre>
resource openssl_pkey_new  ([  array $configargs  ] )
resource openssl_pkey_new  ([  array $configargs  ] )
&lt;/pre&gt;
</pre>
Code:
Code:
{|
{|
|-
|-
|
|
&lt;pre&gt;
<pre>
//=== Generate a new private (and public) key pair
//=== Generate a new private (and public) key pair
$privkey = openssl_pkey_new($config);
$privkey = openssl_pkey_new($config);
&lt;/pre&gt;
</pre>
|}
|}


Line 273: Line 272:
Function openssl_csr_new() generates a new CSR (Certificate Signing Request) based on the information provided by dn,
Function openssl_csr_new() generates a new CSR (Certificate Signing Request) based on the information provided by dn,


&lt;pre&gt;
<pre>
mixed openssl_csr_new (array $dn, resource &amp;$privkey [,array $configargs [,array $extraattribs ]] )
mixed openssl_csr_new (array $dn, resource &$privkey [,array $configargs [,array $extraattribs ]] )
&lt;/pre&gt;
</pre>
Code:
Code:
{|
{|
|-
|-
|
|
&lt;pre&gt;
<pre>
//=== Generate a certificate signing request
//=== Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, $config);
$csr = openssl_csr_new($dn, $privkey, $config);
&lt;/pre&gt;
</pre>
|}
|}


Line 289: Line 288:
=== Function openssl_csr_sign ===
=== Function openssl_csr_sign ===
Function openssl_csr_sign() generates an x509 certificate resource from the given CSR.
Function openssl_csr_sign() generates an x509 certificate resource from the given CSR.
&lt;pre&gt;
<pre>
resource openssl_csr_sign(mixed $csr, mixed $cacert, mixed $priv_key, int $days[,array $configargs[,int $serial = 0 ]])
resource openssl_csr_sign(mixed $csr, mixed $cacert, mixed $priv_key, int $days[,array $configargs[,int $serial = 0 ]])
&lt;/pre&gt;
</pre>
Code:
Code:
{|
{|
|-
|-
|
|
&lt;pre&gt;
<pre>
//== Create a self-signed certificate valid for 365 days
//== Create a self-signed certificate valid for 365 days
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $config);
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $config);
&lt;/pre&gt;
</pre>
|}
|}
Essentially that completes certificate and key generation! They are currently resources these require extracting to appropriate files. Following function perform this task:
Essentially that completes certificate and key generation! They are currently resources these require extracting to appropriate files. Following function perform this task:
Line 307: Line 306:
Function openssl_pkey_export_to_file()saves an ascii PEM encoded verion of key into the file named by outfilename.  
Function openssl_pkey_export_to_file()saves an ascii PEM encoded verion of key into the file named by outfilename.  


&lt;pre&gt;
<pre>
bool openssl_pkey_export_to_file(mixed $key,string $outfilename[,string $passphrase[,array $configargs]])
bool openssl_pkey_export_to_file(mixed $key,string $outfilename[,string $passphrase[,array $configargs]])
&lt;/pre&gt;
</pre>
This function is a quick way to kill Apache stone dead! To prevent this ensure you use NULL for  $passphrase.
This function is a quick way to kill Apache stone dead! To prevent this ensure you use NULL for  $passphrase.


Line 316: Line 315:
|-
|-
|
|
&lt;pre&gt;
<pre>
//== Create key file. Note no passphrase
//== Create key file. Note no passphrase
openssl_pkey_export_to_file($privkey,&quot;server.key&quot;,NULL, $config);
openssl_pkey_export_to_file($privkey,"server.key",NULL, $config);
&lt;/pre&gt;
</pre>
|}
|}


Line 326: Line 325:
Function  openssl_x509_export_to_file() exports a certificate to file
Function  openssl_x509_export_to_file() exports a certificate to file


&lt;pre&gt;
<pre>
bool openssl_x509_export_to_file(mixed $x509, string $outfilename [,bool $notext ])
bool openssl_x509_export_to_file(mixed $x509, string $outfilename [,bool $notext ])
&lt;/pre&gt;
</pre>
The optional parameter notext if it is FALSE, additional human-readable information is included in the output.
The optional parameter notext if it is FALSE, additional human-readable information is included in the output.


Line 337: Line 336:
|-
|-
|
|
&lt;pre&gt;
<pre>
//== Create server certificate  
//== Create server certificate  
openssl_x509_export_to_file($sscert,  &quot;server.crt&quot;,  FALSE );
openssl_x509_export_to_file($sscert,  "server.crt",  FALSE );
&lt;/pre&gt;
</pre>
|}
|}
'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 346: Line 345:
==== Function openssl_csr_export_to_file ====
==== Function openssl_csr_export_to_file ====
Function openssl_csr_export_to_file()exports a CSR to a file
Function openssl_csr_export_to_file()exports a CSR to a file
&lt;pre&gt;
<pre>
bool openssl_csr_export_to_file(resource $csr, string $outfilename[, bool $notext = true ])
bool openssl_csr_export_to_file(resource $csr, string $outfilename[, bool $notext = true ])
&lt;/pre&gt;
</pre>


Code:
Code:
Line 354: Line 353:
|-
|-
|
|
&lt;pre&gt;
<pre>
//== Create a signing request file  
//== Create a signing request file  
openssl_csr_export_to_file($csr, &quot;server.csr&quot;);
openssl_csr_export_to_file($csr, "server.csr");
&lt;/pre&gt;
</pre>
|}
|}
'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 366: Line 365:
|-
|-
|
|
&lt;pre&gt;
<pre>
&lt;?php
<?php


//== Determine path
//== Determine path
Line 375: Line 374:
//== Create a configuration array containing path to openssl.cnf  
//== Create a configuration array containing path to openssl.cnf  
$config = array(
$config = array(
&quot;config&quot; =&gt; &quot;$ssl_path/openssl.cnf&quot;
"config" => "$ssl_path/openssl.cnf"
);
);


//=== Create data array for certificate information
//=== Create data array for certificate information
$dn = array(
$dn = array(
   &quot;countryName&quot;           =&gt; &quot;UK&quot;,
   "countryName"           => "UK",
   &quot;stateOrProvinceName&quot;   =&gt; &quot;Cambridge&quot;,
   "stateOrProvinceName"   => "Cambridge",
   &quot;localityName&quot;           =&gt; &quot;Cambs&quot;,
   "localityName"           => "Cambs",
   &quot;organizationName&quot;       =&gt; &quot;UniServer&quot;,
   "organizationName"       => "UniServer",
   &quot;organizationalUnitName&quot; =&gt; &quot;Demo&quot;,
   "organizationalUnitName" => "Demo",
   &quot;commonName&quot;             =&gt; &quot;localhost&quot;,
   "commonName"             => "localhost",
   &quot;emailAddress&quot;           =&gt; &quot;me@example.com&quot;
   "emailAddress"           => "me@example.com"
);
);


Line 399: Line 398:


//== Create key file. Note no passphrase
//== Create key file. Note no passphrase
openssl_pkey_export_to_file($privkey,&quot;server.key&quot;,NULL, $config);
openssl_pkey_export_to_file($privkey,"server.key",NULL, $config);


//== Create server certificate  
//== Create server certificate  
openssl_x509_export_to_file($sscert,  &quot;server.crt&quot;,  FALSE );
openssl_x509_export_to_file($sscert,  "server.crt",  FALSE );


//== Create a signing request file  
//== Create a signing request file  
openssl_csr_export_to_file($csr, &quot;server.csr&quot;);
openssl_csr_export_to_file($csr, "server.csr");
?&gt;
?>
&lt;/pre&gt;
</pre>
|}
|}
Run the script, you can manually copy key and certificate to the server.
Run the script, you can manually copy key and certificate to the server.
Line 449: Line 448:


For example this extract from Nano_5_6_7 httpd.conf
For example this extract from Nano_5_6_7 httpd.conf
&lt;pre&gt;
<pre>
# Example:
# Example:
# LoadModule foo_module modules/mod_foo.so
# LoadModule foo_module modules/mod_foo.so
#
#


Loadfile &quot;C:/Nano_5_6_7/UniServer/usr/local/php/ssleay32.dll&quot;
Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/ssleay32.dll"
Loadfile &quot;C:/Nano_5_6_7/UniServer/usr/local/php/libeay32.dll&quot;
Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/libeay32.dll"
Loadfile &quot;C:/Nano_5_6_7/UniServer/usr/local/php/libmysql.dll&quot;
Loadfile "C:/Nano_5_6_7/UniServer/usr/local/php/libmysql.dll"




LoadModule actions_module modules/mod_actions.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule alias_module modules/mod_alias.so
&lt;/pre&gt;
</pre>
It gives a saving of 1.51 MB  
It gives a saving of 1.51 MB