我正在尝试使用php生成私钥/公钥对。
服务器:Apache / 2.4.3(Win32)OpenSSL / 1.0.1c PHP / 5.4.7
操作系统是安装了所有Windows更新的Windows XP SP3。
我正在尝试执行以下脚本:
<?php
$ssl_path = getcwd();
$ssl_path = preg_replace('/\\\/','/', $ssl_path); // Replace \ with /
$config = array(
'config' => "$ssl_path/openssl.cnf",
'private_key_bits' => 1024,
'private_key_type' => OPENSSL_KEYTYPE_RSA
);
$dn = array(
"countryName" => "AT",
"stateOrProvinceName" => "Vienna",
"localityName" => "Cambs",
"organizationName" => "UniServer",
"organizationalUnitName" => "Demo",
"commonName" => "localhost",
"emailAddress" => "me@example.com"
);
$privateKey = openssl_pkey_new($config);
$csr = openssl_csr_new($dn, $privateKey, $config);
$sscert = openssl_csr_sign($csr, NULL, $privateKey, 365, $config);
openssl_pkey_export_to_file($privateKey, "C:/server.key", NULL, $config);
openssl_x509_export_to_file($sscert, "C:/server.crt", FALSE);
openssl_csr_export_to_file($csr, "C:/server.csr");
$keyDetails = openssl_pkey_get_details($privateKey);
file_put_contents('C:/public.key', $keyDetails['key']);
?>
这是我的openssl.cnf:
#######################################################################
# File name: openssl.cnf
# Created By: The Uniform Server Development Team
########################################################################
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ req ]
default_bits = 1024
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR fqdn)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ ssl_server ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC
nsComment = "OpenSSL Certificate for SSL Web Server"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:0
nsCertType = sslCA
keyUsage = cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
nsComment = "OpenSSL CA Certificate"
当我尝试执行此脚本时,apache崩溃并重新启动。是什么导致了这个问题?
顺便说一句:如果我尝试使用phpseclib0.3.1 lib,会发生同样的错误。
非常感谢提前!
答案 0 :(得分:2)
根据我的经验,openssl_pkey_get_details()需要X.509证书来获取公钥 - 而不是私钥(尽管文档中说的是这样)。
使用phpseclib, a pure PHP X.509 implementation实际上可能更容易做到这一切。例如:
http://phpseclib.sourceforge.net/x509/examples.html#selfsigned
<?php
include('File/X509.php');
include('Crypt/RSA.php');
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDN(array(
"countryName" => "AT",
"stateOrProvinceName" => "Vienna",
"localityName" => "Cambs",
"organizationName" => "UniServer",
"organizationalUnitName" => "Demo",
"commonName" => "localhost",
"emailAddress" => "me@example.com"
));
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new File_X509();
$result = $x509->sign($issuer, $subject);
$csr = $issuer->signCSR();
$csr = $x509->saveCSR($csr);
file_put_contents("C:/server.key", $privKey->getPrivateKey());
file_put_contents("C:/server.crt", $x509->saveX509($result));
file_put_contents('C:/public.key', $privKey->getPublicKey());
file_put_contents("C:/server.csr", $csr);
?>