我想使用PHP界面运行我的证书颁发机构。作为后端,我想使用phpseclib。 (版本1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download)
使用openssl生成CA根证书,以下脚本应创建由我的CA颁发的有效客户端证书。 CSR的部分看起来合理,CSR有效。但我用CA签署证书的部分似乎失败了。我获得了包含用户信息的证书,但没有给出发行人。我使用网站的示例代码 - 所以我不知道该怎么做。 有什么建议?我是否以错误的方式导入CA证书?
<?php
set_include_path("../resources/library/");
include('File/X509.php');
include('Crypt/RSA.php');
//show ALL errors
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create key pair.
$rsa = new Crypt_RSA();
$key = $rsa->createKey();
$privkey = new Crypt_RSA();
$privkey->loadKey($key['privatekey']);
$pubkey = new Crypt_RSA();
$pubkey->loadKey($key['publickey']);
$pubkey->setPublicKey();
// Create certificate request.
$csr = new File_X509();
$csr->setPrivateKey($privkey);
$csr->setPublicKey($pubkey);
$csr->setDN('CN=www.example.org');
$csr->loadCSR($csr->saveCSR($csr->signCSR()));
// Set CSR attribute.
$csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);
// Set extension request.
$csr->setExtension('id-ce-keyUsage', array('encipherOnly'));
// Generate CSR.
file_put_contents('csr.pem', $output= $csr->saveCSR($csr->signCSR()));
echo $output . "\n";
// Read certificate request and validate it.
$csr = new File_X509();
$csr->loadCSR(file_get_contents('csr.pem'));
if ($csr->validateSignature() !== true) {
exit("Invalid CSR\n");
}
// Alter certificate request.
$csr->setDNProp('CN', 'www.example.org');
//~ $csr->removeExtension('id-ce-basicConstraints');
// Load the CA and its private key.
$pemcakey = file_get_contents("../../myCA/cafile/ca.key");
$cakey = new Crypt_RSA();
$cakey->setPassword('rootca'); // !!!!!!
$cakey->loadKey($pemcakey);
$pemca = file_get_contents("../../myCA/cafile/ca.crt");
$ca = new File_X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// Sign the updated request, producing the certificate.
$x509 = new File_X509();
$cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));
// Generate the certificate.
echo $x509->saveX509($cert) . "\n";
?>
示例首先输出CSR,然后输出生成的证书:
-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----
答案 0 :(得分:0)
我误认为输出证书不包含发行人。我使用https://www.sslshopper.com/certificate-decoder.html进行测试/解码。
<强> [解决] 强> - 使用另一个解码器,如openssl,所有设置信息+发行者都是 所示。
?在某些情况下,解码器正在弄乱读取所有标题信息?!