如何使用 phpseclib 将颁发者信息 (CA) 设置为用户证书?
How to set Issuer information (CA) to User-Certificate - using phpseclib?
我想 运行 我的证书颁发机构具有 PHP 接口。作为后端,我想使用 phpseclib。 (版本 1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download)
CA 根证书是用 openssl 生成的,下面的脚本应该创建一个由我的 CA 颁发的有效客户端证书。 CSR 的部分看起来合理并且 CSR 是有效的。但是我用我的 CA 签署证书的部分似乎失败了。我获得了包含用户信息的证书,但未提供颁发者。我使用网站的示例代码 - 所以我不知道该怎么做。
有什么建议么?我是否以错误的方式导入了 CA 证书?
<?php
set_include_path("../resources/library/");
include('File/X509.php');
include('Crypt/RSA.php');
//show ALL errors
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create key pair.
$rsa = new Crypt_RSA();
$key = $rsa->createKey();
$privkey = new Crypt_RSA();
$privkey->loadKey($key['privatekey']);
$pubkey = new Crypt_RSA();
$pubkey->loadKey($key['publickey']);
$pubkey->setPublicKey();
// Create certificate request.
$csr = new File_X509();
$csr->setPrivateKey($privkey);
$csr->setPublicKey($pubkey);
$csr->setDN('CN=www.example.org');
$csr->loadCSR($csr->saveCSR($csr->signCSR()));
// Set CSR attribute.
$csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);
// Set extension request.
$csr->setExtension('id-ce-keyUsage', array('encipherOnly'));
// Generate CSR.
file_put_contents('csr.pem', $output= $csr->saveCSR($csr->signCSR()));
echo $output . "\n";
// Read certificate request and validate it.
$csr = new File_X509();
$csr->loadCSR(file_get_contents('csr.pem'));
if ($csr->validateSignature() !== true) {
exit("Invalid CSR\n");
}
// Alter certificate request.
$csr->setDNProp('CN', 'www.example.org');
//~ $csr->removeExtension('id-ce-basicConstraints');
// Load the CA and its private key.
$pemcakey = file_get_contents("../../myCA/cafile/ca.key");
$cakey = new Crypt_RSA();
$cakey->setPassword('rootca'); // !!!!!!
$cakey->loadKey($pemcakey);
$pemca = file_get_contents("../../myCA/cafile/ca.crt");
$ca = new File_X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// Sign the updated request, producing the certificate.
$x509 = new File_X509();
$cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));
// Generate the certificate.
echo $x509->saveX509($cert) . "\n";
?>
示例首先输出 CSR,然后输出生成的证书:
-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----
我错误地认为输出证书不包含颁发者。我用 https://www.sslshopper.com/certificate-decoder.html 代替 testing/decoding。
[SOLVED]
- Using another decoder like openssl all set information + issuer are
shown.
?!在某些情况下,解码器无法读取所有 header 信息 ?!
我想 运行 我的证书颁发机构具有 PHP 接口。作为后端,我想使用 phpseclib。 (版本 1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download)
CA 根证书是用 openssl 生成的,下面的脚本应该创建一个由我的 CA 颁发的有效客户端证书。 CSR 的部分看起来合理并且 CSR 是有效的。但是我用我的 CA 签署证书的部分似乎失败了。我获得了包含用户信息的证书,但未提供颁发者。我使用网站的示例代码 - 所以我不知道该怎么做。 有什么建议么?我是否以错误的方式导入了 CA 证书?
<?php
set_include_path("../resources/library/");
include('File/X509.php');
include('Crypt/RSA.php');
//show ALL errors
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create key pair.
$rsa = new Crypt_RSA();
$key = $rsa->createKey();
$privkey = new Crypt_RSA();
$privkey->loadKey($key['privatekey']);
$pubkey = new Crypt_RSA();
$pubkey->loadKey($key['publickey']);
$pubkey->setPublicKey();
// Create certificate request.
$csr = new File_X509();
$csr->setPrivateKey($privkey);
$csr->setPublicKey($pubkey);
$csr->setDN('CN=www.example.org');
$csr->loadCSR($csr->saveCSR($csr->signCSR()));
// Set CSR attribute.
$csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);
// Set extension request.
$csr->setExtension('id-ce-keyUsage', array('encipherOnly'));
// Generate CSR.
file_put_contents('csr.pem', $output= $csr->saveCSR($csr->signCSR()));
echo $output . "\n";
// Read certificate request and validate it.
$csr = new File_X509();
$csr->loadCSR(file_get_contents('csr.pem'));
if ($csr->validateSignature() !== true) {
exit("Invalid CSR\n");
}
// Alter certificate request.
$csr->setDNProp('CN', 'www.example.org');
//~ $csr->removeExtension('id-ce-basicConstraints');
// Load the CA and its private key.
$pemcakey = file_get_contents("../../myCA/cafile/ca.key");
$cakey = new Crypt_RSA();
$cakey->setPassword('rootca'); // !!!!!!
$cakey->loadKey($pemcakey);
$pemca = file_get_contents("../../myCA/cafile/ca.crt");
$ca = new File_X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// Sign the updated request, producing the certificate.
$x509 = new File_X509();
$cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));
// Generate the certificate.
echo $x509->saveX509($cert) . "\n";
?>
示例首先输出 CSR,然后输出生成的证书:
-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----
我错误地认为输出证书不包含颁发者。我用 https://www.sslshopper.com/certificate-decoder.html 代替 testing/decoding。
[SOLVED] - Using another decoder like openssl all set information + issuer are shown.
?!在某些情况下,解码器无法读取所有 header 信息 ?!