SoftLayer API:订单安全证书CSR验证

时间:2015-12-23 02:03:31

标签: ssl-certificate ibm-cloud-infrastructure

我使用以下openssl命令来创建CSR:

openssl genrsa -out mytestdomain.key 2048
openssl req -new -sha256 -key mytestdomain.key -out mytestdomain.csr

我尝试使用上面的“输入证书签名Rquest(CSR)”下面的mytestdomain.csr值从SoftLayer客户门户发出安全证书订单,我收到错误消息:

  

“必须与CSR Base64编码的PEM格式匹配   --- BEGIN CERTIFICATE REQUEST --- Base64编码字符串    - 完成证书申请---

如何使用openssl生成Base64编码的PEM CSR?

如果我从示例文件中输入正确的csr值,我可以看到SoftLayer执行的验证请求如下: https://control.softlayer.com/security/sslorders/validatecsr

并且回复显示有效的电子邮件地址,国家/地区如下: {“success”:true,“result”:{“X”:“XX”,“xx”:“XXXX,Europe”,“L”:“XXXX City”,“O”:“My Test”,“OU” “:” VPN”, “XX”: “mytest.com”, “EMAILADDRESS”: “test@mytest.com”}}

问题2:我可以使用哪种方法来验证和提取CSR中的信息,类似于SoftLayer客户门户使用的方法?

2 个答案:

答案 0 :(得分:0)

关于你的问题:

问题1:我按照此链接中的步骤操作,它对我来说很成功:

https://www.instantssl.com/ssl-certificate-support/csr-generation/ssl-certificate-mod-ssl.html

这将生成.key和.csr文件。您应该为CSR指定.csr文件内容。

问题2: SoftLayer_Security_Certificate_Request::validateCsr方法有助于验证CSR。

这是一个PHP示例:

<?php
/**
 * Validate Csr
 *
 * This script allows you to validate a Certificate Signing Request (CSR) required 
 * for an SSL certificate with the certificate authority (CA). This method sends the CSR, 
 * the length of the subscription in months, the certificate type, and the server type for 
 * validation against requirements of the CA. Returns true if valid.
 *
 * Important manual pages:
 * @see http://sldn.softlayer.com/reference/services/SoftLayer_Security_Certificate_Request/validateCsr
 *
 * @license <http://sldn.softlayer.com/wiki/index.php/license>
 * @author SoftLayer Technologies, Inc. <sldn@softlayer.com>
 */
require_once '\vendor\autoload.php';

/**
 * Your SoftLayer API username and apiKey
 * @var string
 * @var string
 */
$apiUsername = 'set me';
$apiKey = 'set me';

/**
 * The encoded CSR data string
 * @var string
 */
$csr = "-----BEGIN CERTIFICATE REQUEST-----
MIIC9TCCAd0CAQAwga8xCzAJBgNVBAYTAkJPMRMwEQYDVQQIDApDb2NoYWJhbWJh
MRMwEQYDVQQHDApDb2NoYWJhbWJhMRUwEwYDVQQKDAxSdWJlckNvbXBhbnkxFTAT
BgNVBAsMDHJ1YmVyU2VjdGlvbjEdMBsGA1UEAwwUd3d3LnJ1YmVyY3VlbGxhci5j
b20xKTAnBgkqhkiG9w0BCQEWGnJ1YmVyLmN1ZWxsYXJAamFsYXNvZnQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw3WFBDFbqvk9O/6Wd+z0MsQQ
6WS5Vxw5iMVlo6J4xpoXqzA0FhuROv7IuJQ0rNvhDqTisMBLrUoDgvS6UgqM8RM9
DPNgGSdTVp0Z1Mt/qTavUPUfyT23msh5/Oqlo6/z+u23euKfTg4qhuVV7PG0eY6U
/GDumtmCk8+b33xzIBtLbfnB3119vRff9DmB6R7bSCzg+e8JnRycpSMKA8Egkw3N
O4k0mpvj5jR+FApFlTfKXcQU5xdEQYn1pe5+QLwSKJWP9iGEyiyFbvFVsYlKxKvh
RYEwuCqPAZBoWfO8zT4VPu2NO8QjDB55LX5xNAq2ZvHekbtWUtAzMeD6h2O04wID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKcYJHvIvYzD+XssGHbfbyK7/arjGgyB
YyA5dx2DvwvdUGpIQyKCWyLyk10brObGoBGMtt5raxqI19UqnOpsOAJ5lF3fsM0B
mNQTAlsen/Ove/K+40Ycg1tYjLZN8vHebKvLyjENdeX4HgN+cTK030iUQq+ObwjB
te4UZsDhWlMijMay5gOcVZLI2D9uQzzMBgfymuuwync5m0ia1lmbNOmF9j9bNC5G
uN/rDbzGG4WEzbFmj/ERYgx7UGH9WkvEQA2+Dhj26SC3K9zgYkKMbaF3Kx49cBxj
xVtZtg+DLTQ8Ee5R/wB0YfGw1W3gYcVUBL/EZWv7PuqzKnBro09iuHA=
-----END CERTIFICATE REQUEST-----";

/**
 * The product item identifier for the type of SSL certificate
 * E.g: Item Id: 965 Description: RapidSSL - 2 year
 * @var int
 */
$itemId = 965;

 /**
 * The type of server in which the certificate will be installed
 * @var string
 */
$serverType = "apache2";

/**
 * The length of the certificate subscription desired in months. Typically 12 or 24 months
 * @var int
 */
$validityMonths = 24;

// Create a SoftLayer API client object for "SoftLayer_Security_Certificate_Request" service
$client = \SoftLayer\SoapClient::getClient('SoftLayer_Security_Certificate_Request', null, $apiUsername, $apiKey);

try {
    $result = $client->validateCsr($csr, $validityMonths, $itemId, $serverType);
    print_r($result);
} catch (\Exception $e) {
    die('Unable to validated CSR: ' . $e->getMessage());
}

我希望这些信息可以帮到你。

答案 1 :(得分:0)

我不确定SoftLayer支持的CSR类型,如果您想了解更多相关信息,可以提交票证。 但是,如果要验证CSR,可以尝试使用:SSL Decoder,它基于PHP。此外,我从那里提取了一小部分代码,以获得您期望的结果,试试这个:

<?php
/**
 * Function get_sans_from_csr
 */
function get_sans_from_csr($csr) {
  global $random_blurp;
  global $timeout;
  $sans = array();
  //openssl_csr_get_subject doesn't support SAN names.
  $filename = "C:/Csr/tmp/csr-" . $random_blurp . "-" . gen_uuid() . ".csr.pem";
  $write_csr = file_put_contents($filename, $csr);
  if($write_csr !== FALSE) {
    $openssl_csr_output = trim(shell_exec("timeout " . $timeout . " openssl req -noout -text -in " . $filename . " | grep -e 'DNS:' -e 'IP:'"));
  }
  unlink($filename);
  if($openssl_csr_output) {

    $csr_san_dns = explode("DNS:", $openssl_csr_output);
    $csr_san_ip = explode("IP:", $openssl_csr_output);
    if(count($csr_san_dns) > 1) {
      foreach ($csr_san_dns as $key => $value) {
        if($value) {
          $san = trim(str_replace(",", "", str_replace("DNS:", "", $value)));
          array_push($sans, $san);
        }
      }
    }
    if(count($csr_san_ip) > 1) {
      foreach ($csr_san_ip as $key => $value) {
        if($value) {
          $san = trim(str_replace(",", "", str_replace("IP:", "", $value)));
          array_push($sans, $san);
        }
      }
    } 
  }
  if(count($sans) >= 1) {
    return $sans;
  }
}

/**
 * Function csr_parse_json
 */
function csr_parse_json($csr) {
  // if csr or cert is pasted in form this function parses the csr or it send the cert to cert_parse.
  global $random_blurp;
  global $timeout;
  $result = array();
  if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) { 
    $cert_data = openssl_csr_get_public_key($csr);
    $cert_details = openssl_pkey_get_details($cert_data);
    $cert_key = $cert_details['key'];
    $cert_subject = openssl_csr_get_subject($csr);
    $result["subject"] = $cert_subject;
    $result["key"] = $cert_key;
    $result["details"] = $cert_details; 
    if ($cert_details) {
      $result["csr_pem"] = $csr;
      $sans = get_sans_from_csr($csr);
      if(count($sans) > 1) {
        $result["csr_sans"] = $sans;
      }
    }
  } elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) { 
    $result = cert_parse_json($csr, null, null, null, null, true);
  } else {
    $result = array("error" => "data not valid csr");
  }
  return $result;
}

/**
 * Function gen_uuid
 */
function gen_uuid() {
  //from stack overflow.
  return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
    // 32 bits for "time_low"
    mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
    // 16 bits for "time_mid"
    mt_rand( 0, 0xffff ),
    // 16 bits for "time_hi_and_version",
    // four most significant bits holds version number 4
    mt_rand( 0, 0x0fff ) | 0x4000,
    // 16 bits, 8 bits for "clk_seq_hi_res",
    // 8 bits for "clk_seq_low",
    // two most significant bits holds zero and one for variant DCE1.1
    mt_rand( 0, 0x3fff ) | 0x8000,
    // 48 bits for "node"
    mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )
  );
}

// Define your csr
$data = csr_parse_json("-----BEGIN CERTIFICATE REQUEST-----
MIIC9DCCAdwCAQAwga4xCzAJBgNVBAYTAkJPMRMwEQYDVQQIDApDb2NoYWJhbWJh
MRMwEQYDVQQHDApDb2NoYWJhbWJhMRkwFwYDVQQKDBBSdWJlclRlc3RDb21wYW55
MRAwDgYDVQQLDAdzZWN0aW9uMR0wGwYDVQQDDBR3d3cucnViZXJjdWVsbGFyLmNv
bTEpMCcGCSqGSIb3DQEJARYacnViZXIuY3VlbGxhckBqYWxhc29mdC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDw8QIBguC4qRsvb3I9K/2qO50g
zB3hEwb0DOCWa5LXUgpq3SHYohtlEdneUiRiYtn4ggO0NjZ4f4hfvQ9iZ10zH8/v
W7DeElvdJBP0dHEInuhKGP6wjieR2IkkPzsOTCeVJ6FOnxsC192qgXG0O8WjquKh
g6NZKdW0oLtl1/mWFixmWFwcjh7IUWZ/J0NpAlHBtDpYILRD84rHv1XK9GE1JUfO
euSwq6K0jRmK388Xt37bxFj5iMMpHXI55+LIpA9ZoV9NffCiGoohwp45QgEXdkfm
1NBGVXiGaQzn1HgnpdnYR05tAScOkqJ4yRkCUatE8q3F9+u8KM2e+mIxHeflAgMB
AAGgADANBgkqhkiG9w0BAQsFAAOCAQEA3TRZYZuhsQHmZ8anuMHawCcu6He5g3Yg
hpV4O06Knzblvdy9OvK1+jEPUEpTUGgyty0kU5WCru8+FL8+2/ycrUN8bisYDHlG
7KuzOuMxsz2/U/Vj3KAerv+/sIv2oDUN7otjA5smK6769gO1NjPPSXe/nDOPh3WC
YeRYRkLqCuTG6GfqmMK/o4vHrYXyxu6apvMId6PFmAEHqMZorebo8NyqvMA3pT1D
p+LuLZsqZWNsfX9iN31+PNCWvVKaDzF3z9vWmaDV61jiteRt0gOzun9GnRV2QRpS
5GjdY64A7dpB7VuVsnXePb5RbeWQQtMwwhuW01TzzlwB9yHwlel/hQ==
-----END CERTIFICATE REQUEST-----");
// Print whole result
print_r($data);

// Print "subject" property from the result
print_r($data["subject"]);

?>

脚本中使用的所有方法都是从SSL Decoder

中提取的
相关问题
最新问题