Question

我试图通过PHP生成CSR。但是CA一直拒绝我的CSR，因为他们说它不是2048位而且没有密码保护。但是当我查看PHP文档中的openssl_csr_new（）函数时，我找不到怎么做？

我目前的代码：

$dn = array(
                   'countryName' => $countryName,
                   'stateOrProvinceName' => $stateOrProvinceName,
                   'localityName' => $localityName,
                   'organizationName' => $organizationName,
                   'commonName' => $commonName,
                   'emailAddress' => $emailAddress
               );

               if(!empty($organizationalUnitName))
               $dn['organizationalUnitName'] = $organizationalUnitName;

               $csrSettings = array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true);

               // Generate a new private (and public) key pair
               $privkey = openssl_pkey_new($csrSettings);

               // Generate a certificate signing request
               $csr = openssl_csr_new($dn, $privkey, $csrSettings);
               openssl_csr_export($csr, $csrout);
               openssl_pkey_export($privkey, $pkeyout);

我做错了什么？

------更新代码：-------

$dn = array(
               'countryName' => $countryName,
               'stateOrProvinceName' => $stateOrProvinceName,
               'localityName' => $localityName,
               'organizationName' => $organizationName,
               'commonName' => $commonName,
               'emailAddress' => $emailAddress
           );

           if(!empty($organizationalUnitName))
           $dn['organizationalUnitName'] = $organizationalUnitName;

           $csrSettings = array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true);

           // Generate a new private (and public) key pair
           $privkey = openssl_pkey_new($csrSettings);

           // Generate a certificate signing request
           openssl_pkey_export($privkey, $pkeyout, 'test 1235 aaaaa');

           $csr = openssl_csr_new($dn, $pkeyout, $csrSettings);
           openssl_csr_export($csr, $csrout);

Answer 1

使用phpseclib, a pure PHP CSR implementation，

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$privKey = new Crypt_RSA();
extract($privKey->createKey(2048));
$privKey->loadKey($privatekey);

$x509 = new File_X509();
$x509->setPrivateKey($privKey);
$x509->setDNProp('id-at-organizationName', 'phpseclib demo cert');

$csr = $x509->signCSR();

echo $x509->saveCSR($csr);
?>

但是，您无法对CSR进行密码保护。您可以使用密码保护私钥，但无论如何都不应与CA共享私钥。

如果CA坚持要求您提供一个如何通过CLI使用OpenSSL执行此操作的示例。也许他们只是不清楚他们的意思，但有CLI命令会让我们确切知道。

Answer 2

您的订单完全错误，并且由于某种原因您执行了openssl_pkey_new()两次。我强烈建议您浏览文档并实际了解所有这些功能可以做什么，因为您的网站的安全性取决于它。这就是你想要的：

$dn = array(
    'countryName' => $countryName,
    'stateOrProvinceName' => $stateOrProvinceName,
    'localityName' => $localityName,
    'organizationName' => $organizationName,
    'commonName' => $commonName,
    'emailAddress' => $emailAddress
);

$csrSettings = array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true);

// Generate a new private (and public) key pair
$privkey = openssl_pkey_new($csrSettings);

// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, $csrSettings);

openssl_csr_export($csr, $csrout);
openssl_pkey_export($privkey, $pkeyout, "test 1235 aaaaa");

echo $csrout . "\n" . $pkeyout;

输出示例：

生成2048位和密码保护的csr？

2 个答案:

输出示例：