Question

**好的，很明显，这个问题与Linux服务器上openssl的设置以及如何正确设置自定义openssl.cnf文件有关。我不是在寻找任何复杂的东西，但我需要一个前端能够创建自签名客户端证书，以便对我的webservice进行身份验证。因此，我需要能够使用我的CA为客户公司创建中间CA，然后允许他们使用安全接口为其员工颁发客户端证书。登录基于您是否属于特定的中间CA，以及您的证书或中间CA是否未被撤销。

对于任何想知道的人，我们可以使用自签名证书，因为它们仅用于我们的服务器来验证用户，因为我们发布它们，我们相信它们。对于初创公司而言，通过商业产品AFAIK建立自己作为中间CA的方式也太昂贵了。微软可以做到这一点，我们做不到。我们的网络服务器本身使用CA签名证书。

我知道用于设置此类事物的PHP代码是直截了当的，但不是如何正确设置openssl。我在网上尝试了几个不同的例子，它们似乎都不适用于我的设置，它们似乎都有所不同。一个盒子是全新安装的Centos 6.2，我仍然遇到错误。

有人能指出我设置openssl，apache2和php的正确方向，以便我可以使用这些php库而不会出错吗？我们的虚拟服务器正在使用debian squeeze，我可以完全控制安装的软件。

感谢。

open_pkey_new（）返回错误，例如错误：0E06D06C：配置文件例程：NCONF_get_string：无值。然而，我正在通过一个openssl.cnf文件的路径，所以我不知道为什么我仍然遇到这个问题。这是我的相关代码

<?php
$cwd=getcwd();
$distname= array(
    "countryName" => "CA",
    "stateOrProvinceName" => "Ontario",
    "localityName" => "Toronto",
    "organizationName" => "G4 Apps",
    "organizationalUnitName" => "Development",
    "commonName" => "Mark Lane",
    "emailAddress" => "nobody at gmail.com"
        );
$password = 'seanix';

$cacert_location=$cwd."/certs/CA/g4CA.crt";
$cakey_location=$cwd."/certs/CA/g4CA.key";
$cnf=$cwd.'/certs/myopenssl.cnf';
$configArgs = array(
        'config' =>$cnf
);
?>

这是我制作钥匙的功能。

<?php
function makekey($password,$configArgs) {
    $key= openssl_pkey_new($configArgs);
    //print_r($configArgs);
    openssl_pkey_export($key, $pkeyout,$password);
    if (($e=openssl_error_string()) ==false) return $pkeyout;
    else {
        do {

            echo $e . "<BR>";
        } while($e=openssl_error_string());
        return -1;
    }
}
?>

我已经尝试过相对路径到配置文件，它仍然无法正常工作。看起来它可能是主机提供商ssl设置。我切换到本地虚拟机，我得到了生成密钥，但现在我在创建csr时遇到了同样的错误。

错误：0E06D06C：配置文件例程：NCONF_get_string：无值

<?php
function newcsr($distname,$key,$configArgs) {
    $csr=openssl_csr_new($distname,$key,$configArgs);
    openssl_csr_export($csr, $csrout);
    if (($e=openssl_error_string()) ==false) return $csrout;
    else {
        do {

            echo $e . "<BR>";
        } while($e=openssl_error_string());
        return -1;
    }
}
?>

openssl.conf 这看起来是openssl.cnf中的错误所以我已经包含了该文件。

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

oid_section     = new_oids


[ new_oids ]


tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca  = g4CA      

####################################################################
[ g4CA ]

dir     = /home/g4apps/secure.g4apps.com/generator/certs    
certs       = $dir/     
crl_dir     = $dir/crl      
database    = $dir/index.txt    


new_certs_dir   = $dir/newcerts     

certificate = $dir/CA/g4CA.crt  
serial      = $dir/serial       
crlnumber   = $dir/crlnumber    

crl     = $dir/CA/g4CA.crl  
private_key = $dir/CA/g4CA.key  
RANDFILE    = $dir/private/.rand    

x509_extensions = usr_cert      

name_opt    = ca_default        
cert_opt    = ca_default        


default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

policy      = policy_match


[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 2048
default_md      = md5
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

string_mask = utf8only

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CA
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = ON

localityName            = Locality Name (eg, city)
localityName_default    = Toronto

0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = G4 Apps



organizationalUnitName      = Organizational Unit Name (eg, section)

commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_default        = lmlane@gmail.com
emailAddress_max        = 64


[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

unstructuredName        = An optional company name

[ usr_cert ]

nsComment           = "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer



[ v3_req ]


basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true


[ crl_ext ]

authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
basicConstraints=CA:FALSE

nsComment           = "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1   

[ tsa_config1 ]

dir             = ./demoCA      
serial      = $dir/tsaserial    
crypto_device   = builtin       
signer_cert = $dir/tsacert.pem  

certs       = $dir/cacert.pem   
signer_key  = $dir/private/tsakey.pem 
default_policy  = tsa_policy1       
other_policies  = tsa_policy2, tsa_policy3
digests     = md5, sha1     
accuracy    = secs:1, millisecs:500, microsecs:100  
clock_precision_digits  = 0 
ordering        = yes   

tsa_name        = yes   
ess_cert_id_chain   = no

堆栈追踪strace php getkeystore.php &> stack.trace

http://secure.g4apps.com/generator/stack.trace

Answer 1

我在Mac上尝试了这个并重新安装了CentOS 6.3，我也遇到了同样的错误。我从IUS获得了我的CentOS软件包。虽然很奇怪，但即使我收到此消息，实际上正在生成密钥。

以下代码：

$res = openssl_pkey_new();
openssl_pkey_export($res, $privkey);
var_dump(openssl_error_string());
var_dump($privkey);

给我以下输出：

string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDdh4FiOEtUZzvTSnlb/pJHjmsS9rOHQ7PU2WOO6ZHxYRIgK1NR
ReY7bBwEsT2ziUpx0b8K2Fx4m+XovzysB/lVrKbrdbHoVtGuJGZjYSXgFlCRTBu+
+TnAPUBF0LGJfxfVzjOkHzsh02lH3fvzFpFgRZRWs4za+vVzIweeOweYTwIDAQAB
AoGANZD5iS2BkZQw1COS+tqwtlrKq1g6CwAk8NfsCfeSkaJeRqcTS3iydjXrBHtz
JwGQnbsRDedJXOSdkE0Ft7dp44lijOAp1ngMDCKbabxVN2Go6b1d743HE0oIhFCC
Dv2B9kf9vzeYy+0/BVCs5i4iPoKXJJTSJrWoDxrFEJWSJIkCQQDwe39bOFHmQlxz
pbfT3DZ8Q311xFo6PewcAf7DTsikoPZANx0GQ41WdZj6/n4QVP4k+TnhZLiJzsH+
p3RUrx8tAkEA69LsgPrQMZ0YjsE2vjRLdJmp1916G1xqSLIVWDUPd9Ns+MA8YKTx
AQxC3dl3n+w24m7UlCThANlU/+2r0eoi6wJBAKIxGOdEJ/Cdp08UYNRR/Kl4t2A7
SwNnChylt9awByEJsqwCv9+epe+/Jqt6AzouqK31LXV4AgJn4W1IMWyAJA0CQCp0
6/2AqnD0PpKc+JUf5yHT9H8Xsb8xUTVLUopx6xoAp5LVUUl5CKbOpU85ss7JAUyc
9YrCZPv5JNN6379ILwcCQQDDcjtNnhQHukQQQ8iVL9YCrWzyCgplTz3uktueT+Dd
SDK1bCM4xDehfG3RKu1ZNx80Q0nzmi7FSPJ2md7qSIHc
-----END RSA PRIVATE KEY-----
"

我怀疑它是PHP中的一个错误。某种openssl配置PHP正在被挂起。我在php.net上发现了一个bug report，但是它开始工作了＃34;对于用户来说，错误已经关闭。

作为替代方案，您可以查看phpseclib，这是一个纯粹用PHP编写的库。

Answer 2

检查您的openssl.cnf是否有

default_md = md5

在其中，否则将其添加到cnf文件中，如果有帮助，请再试一次。

Answer 3

使用openssl_csr_new时，请确保第一个参数$ dn不包含空值的键。

例如，对openssl_csr_new的此调用将触发错误

0E06D06C:configuration file routines:NCONF_get_string:no value

<?php

$dn = [
    'CN' => 'example.com',
    'ST' => '',
    'C'  => '',
    'O'  => '',
];

openssl_csr_new($dn, $privKey);

Answer 4

我已经打了十二遍这个问题，所以我要花2美分：有效的/超级复杂的openssl.cnf由于（IMHO）PHP进行了一些向后的配置解析，因此可能导致多达10条警告。用力撞墙后，我做了一个垫片，以便OpenSSL和PHP可以和平共处。

不要破坏您的openssl.cnf，而是创建自己的骨架cnf并在其中包含默认值，就像这样：

import { ActivatedRoute } from '@angular/router';

constructor(private route: ActivatedRoute)

ngOnInit() {
  this.route.queryParams.subscribe(params => {
  if (params) {
    let queryParams = JSON.parse(params);
    console.log(queryParams)
  }
});
}

除了[req]部分以外，请随时删除所有注释以缩小文件大小。

以下是相应的PHP文件对此进行了测试：

#PHP shim for an otherwise beautiful openssl.cnf
#Notes:
# duplicate OID definitions fail
# duplicate OID usage generates a warning in most cases
# All duplicate sections/values are overlayed: PHP > shim > include > default
RANDFILE    = /dev/null #PHP warns if this doesn't exist
oid_file    = /dev/null #PHP warns if this doesn't exist
#PHP warns if oid_section isn't in the default section
#PHP warns if oid_section is used in another section (only on initialization)
oid_section = php_oids  #set an empty OID section
.include /etc/ssl/openssl.cnf    #include our working conf
[ req ]
  #included format differs from expected format
  attributes         = php_attr #openssl_csr_new()
  #not set in include
  encrypt_rsa_key    = yes #overriden by encrypt_key
  #uncomment to override include, or if otherwise unset
  #req_extensions     = php_req_extension #overridden by req_extensions
  #x509_extensions    = php_x509_extension #overridden by x509_extensions
  #default_bits       = 4096          #overridden by private_key_bits
  #default_md         = sha512        #overridden by digest_alg
  #string_mask        = utf8only      #overridden by string_mask
  #distinguished_name = php_distinguished_name #openssl_csr_new()
[ php_attr ] #empty attributes section
  #challengePassword = password
  #unstructuredName = i_prefer_structure
  ##NO *_min,*_max,*_default
  ##challengePassword         = A challenge password (6-20 characters)
  ##challengePassword_min     = 6
  ##challengePassword_max     = 20
  ##challengePassword_default = this_wont_work
[ php_oids ] #empty OID section (no duplicates in this section)
  #test_cert = 2.23.140.2.1
  ##NO short_id=long_id,id_num
  ##TEST = test_cert, 2.23.140.2.1
[ php_distinguished_name ] #empty DN section
  #commonName         = Common Name (CN)
  #commonName_min     = 1
  #commonName_max     = 63
  #commonName_default = this_works
  #streetAddress      = this_also_works
  #0.organizationalUnitName = this_actually_works
  #ONLY THE FIRST OID IS USED
  ##1.organizationalUnitName = this_is_silently_discarded
[ php_x509_extension ] #empty x509 extension section
  subjectKeyIdentifier   = hash #at least one value required
  #authorityKeyIdentifier = keyid:always
  #keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
  #basicConstraints       = critical, CA:true, pathlen:0
  #certificatePolicies    = ia5org, test_cert
  #authorityInfoAccess    = @ocsp_ext
  #crlDistributionPoints  = @crl_ext
  #tlsfeature             = status_request_v2
[ php_req_extension ] #empty req extension section
  subjectKeyIdentifier   = hash #at least one value required
  #keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
  #extendedKeyUsage       = critical, clientAuth, emailProtection
  #basicConstraints       = critical, CA:FALSE
  #certificatePolicies    = ia5org, test_cert
  #authorityInfoAccess    = @ocsp_ext
  #crlDistributionPoints  = crl_ext
  #tlsfeature             = status_request_v2
  #nsComment              = "OpenSSL 1.1.1c Generated Client Certificate"

希望这会有所帮助。

Answer 5

根据提到的the bug @Luke，我的结论是：

openssl_pkey_new（）没有返回值，因此是＆＃34; FALSE＆＃34; 。

var_dump（）只是说它返回一个OpenSSL密钥。

＆＃34;所以它有效 - ＆＃34; NCONF_get_string：没有价值＆＃34;只是某种通知。＆＃34; - vrana@php.net

openssl_csr_new（）（或许更多）有类似的行为。

Answer 6

在我的配置（FreeBSD，libressl 2.8，从端口构建的php）的[req]部分中，注释了“ default_bits”条目。

通过启用此配置条目，此问题已解决。

openssl_pkey_new（）抛出错误 - 正确的openssl.cnf设置为PHP

6 个答案: