如何使用phpseclib将颁发者信息(CA)设置为用户证书?

时间:2016-07-04 15:43:29

标签: phpseclib

我想使用PHP界面运行我的证书颁发机构。作为后端,我想使用phpseclib。 (版本1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download

使用openssl生成CA根证书,以下脚本应创建由我的CA颁发的有效客户端证书。 CSR的部分看起来合理,CSR有效。但我用CA签署证书的部分似乎失败了。我获得了包含用户信息的证书,但没有给出发行人。我使用网站的示例代码 - 所以我不知道该怎么做。 有什么建议?我是否以错误的方式导入CA证书?

<?php
    set_include_path("../resources/library/");
    include('File/X509.php');
    include('Crypt/RSA.php');
    //show ALL errors
    error_reporting(E_ALL);
    ini_set('display_errors', 1); 

    // Create key pair.
    $rsa = new Crypt_RSA();
    $key = $rsa->createKey();
    $privkey = new Crypt_RSA();
    $privkey->loadKey($key['privatekey']);
    $pubkey = new Crypt_RSA();
    $pubkey->loadKey($key['publickey']);
    $pubkey->setPublicKey();

    // Create certificate request.
    $csr = new File_X509();
    $csr->setPrivateKey($privkey);
    $csr->setPublicKey($pubkey);
    $csr->setDN('CN=www.example.org');
    $csr->loadCSR($csr->saveCSR($csr->signCSR()));

    // Set CSR attribute.
    $csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);

    // Set extension request.
    $csr->setExtension('id-ce-keyUsage', array('encipherOnly'));

    // Generate CSR.

    file_put_contents('csr.pem',  $output= $csr->saveCSR($csr->signCSR()));
    echo $output . "\n";

    // Read certificate request and validate it.
    $csr = new File_X509();
    $csr->loadCSR(file_get_contents('csr.pem'));
    if ($csr->validateSignature() !== true) {
        exit("Invalid CSR\n");
    }

    // Alter certificate request.
    $csr->setDNProp('CN', 'www.example.org');
    //~ $csr->removeExtension('id-ce-basicConstraints');

    // Load the CA and its private key.
    $pemcakey = file_get_contents("../../myCA/cafile/ca.key");
    $cakey = new Crypt_RSA();
    $cakey->setPassword('rootca'); // !!!!!!
    $cakey->loadKey($pemcakey);
    $pemca = file_get_contents("../../myCA/cafile/ca.crt");
    $ca = new File_X509();
    $ca->loadX509($pemca);
    $ca->setPrivateKey($cakey);

    // Sign the updated request, producing the certificate.
    $x509 = new File_X509();
    $cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));

    // Generate the certificate.
    echo $x509->saveX509($cert) . "\n";
?>

示例首先输出CSR,然后输出生成的证书:

-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----

1 个答案:

答案 0 :(得分:0)

我误认为输出证书不包含发行人。我使用https://www.sslshopper.com/certificate-decoder.html进行测试/解码。

  

<强> [解决]    - 使用另一个解码器,如openssl,所有设置信息+发行者都是   所示。

?在某些情况下,解码器正在弄乱读取所有标题信息?!