如何使用 phpseclib 将颁发者信息 (CA) 设置为用户证书?

How to set Issuer information (CA) to User-Certificate - using phpseclib?

我想 运行 我的证书颁发机构具有 PHP 接口。作为后端,我想使用 phpseclib。 (版本 1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download

CA 根证书是用 openssl 生成的,下面的脚本应该创建一个由我的 CA 颁发的有效客户端证书。 CSR 的部分看起来合理并且 CSR 是有效的。但是我用我的 CA 签署证书的部分似乎失败了。我获得了包含用户信息的证书,但未提供颁发者。我使用网站的示例代码 - 所以我不知道该怎么做。 有什么建议么?我是否以错误的方式导入了 CA 证书?

<?php
    set_include_path("../resources/library/");
    include('File/X509.php');
    include('Crypt/RSA.php');
    //show ALL errors
    error_reporting(E_ALL);
    ini_set('display_errors', 1); 

    // Create key pair.
    $rsa = new Crypt_RSA();
    $key = $rsa->createKey();
    $privkey = new Crypt_RSA();
    $privkey->loadKey($key['privatekey']);
    $pubkey = new Crypt_RSA();
    $pubkey->loadKey($key['publickey']);
    $pubkey->setPublicKey();

    // Create certificate request.
    $csr = new File_X509();
    $csr->setPrivateKey($privkey);
    $csr->setPublicKey($pubkey);
    $csr->setDN('CN=www.example.org');
    $csr->loadCSR($csr->saveCSR($csr->signCSR()));

    // Set CSR attribute.
    $csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);

    // Set extension request.
    $csr->setExtension('id-ce-keyUsage', array('encipherOnly'));

    // Generate CSR.

    file_put_contents('csr.pem',  $output= $csr->saveCSR($csr->signCSR()));
    echo $output . "\n";

    // Read certificate request and validate it.
    $csr = new File_X509();
    $csr->loadCSR(file_get_contents('csr.pem'));
    if ($csr->validateSignature() !== true) {
        exit("Invalid CSR\n");
    }

    // Alter certificate request.
    $csr->setDNProp('CN', 'www.example.org');
    //~ $csr->removeExtension('id-ce-basicConstraints');

    // Load the CA and its private key.
    $pemcakey = file_get_contents("../../myCA/cafile/ca.key");
    $cakey = new Crypt_RSA();
    $cakey->setPassword('rootca'); // !!!!!!
    $cakey->loadKey($pemcakey);
    $pemca = file_get_contents("../../myCA/cafile/ca.crt");
    $ca = new File_X509();
    $ca->loadX509($pemca);
    $ca->setPrivateKey($cakey);

    // Sign the updated request, producing the certificate.
    $x509 = new File_X509();
    $cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));

    // Generate the certificate.
    echo $x509->saveX509($cert) . "\n";
?>

示例首先输出 CSR,然后输出生成的证书:

-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----

我错误地认为输出证书不包含颁发者。我用 https://www.sslshopper.com/certificate-decoder.html 代替 testing/decoding。

[SOLVED] - Using another decoder like openssl all set information + issuer are shown.

?!在某些情况下,解码器无法读取所有 header 信息 ?!