openssl_pkey_new()抛出错误——正确的php openssl.cnf设置
**好的,很明显,这个问题与在Linux服务器上设置openssl以及如何正确设置自定义openssl.cnf文件有关。我不寻找任何复杂的东西,但我需要一个前端,以便能够创建自我签名的客户端证书,以便对我的Web服务进行身份验证。因此,我需要能够使用我的CA为客户公司创建中间CA,然后允许他们使用安全接口为其员工颁发客户证书。登录基于您是否属于特定的中间CA以及您的证书或中间CA是否未被吊销 对于任何想知道的人,我们可以使用自签名证书,因为它们只用于我们的服务器对用户进行身份验证,而且因为我们颁发了它们,所以我们信任它们。此外,对于一家初创公司来说,通过商业产品AFAIK将自己打造成中间CA的成本太高。微软能做到,我们不能。我们的Web服务器本身使用CA签名的证书 我知道用于设置这类内容的php代码是直截了当的,但不是如何正确设置openssl。我在网上尝试了几个不同的例子,它们似乎都不适用于我的设置,它们似乎都不同。其中一个盒子是Centos 6.2的新安装,我仍然收到错误 有人能为我指出设置openssl、apache2和php的正确方向吗?这样我就可以毫无错误地使用这些php库了?我们的虚拟服务器使用debian squeeze,我可以完全控制安装的软件 谢谢 open\u pkey\u new()返回错误,例如错误:0E06D06C:配置文件例程:NCONF\u get\u字符串:无值。然而,我正在传递一个openssl.cnf文件的路径,所以我不知道为什么我仍然遇到这个问题。这是我的相关代码openssl_pkey_new()抛出错误——正确的php openssl.cnf设置,php,openssl,private-key,Php,Openssl,Private Key,**好的,很明显,这个问题与在Linux服务器上设置openssl以及如何正确设置自定义openssl.cnf文件有关。我不寻找任何复杂的东西,但我需要一个前端,以便能够创建自我签名的客户端证书,以便对我的Web服务进行身份验证。因此,我需要能够使用我的CA为客户公司创建中间CA,然后允许他们使用安全接口为其员工颁发客户证书。登录基于您是否属于特定的中间CA以及您的证书或中间CA是否未被吊销 对于任何想知道的人,我们可以使用自签名证书,因为它们只用于我们的服务器对用户进行身份验证,而且因为我们颁
<?php
$cwd=getcwd();
$distname= array(
"countryName" => "CA",
"stateOrProvinceName" => "Ontario",
"localityName" => "Toronto",
"organizationName" => "G4 Apps",
"organizationalUnitName" => "Development",
"commonName" => "Mark Lane",
"emailAddress" => "nobody at gmail.com"
);
$password = 'seanix';
$cacert_location=$cwd."/certs/CA/g4CA.crt";
$cakey_location=$cwd."/certs/CA/g4CA.key";
$cnf=$cwd.'/certs/myopenssl.cnf';
$configArgs = array(
'config' =>$cnf
);
?>
strace php getkeystore.php&>Stack.trace检查您的openssl.cnf是否
default_md = md5
如果有帮助,请将其添加到cnf文件中,然后重试。我在Mac上尝试了此操作,并重新安装了CentOS 6.3,但遇到了相同的错误。我从IUS那里得到我的CentOS软件包。但这很奇怪,因为即使我收到了这个消息,密钥实际上是被生成的 以下代码:
$res = openssl_pkey_new();
openssl_pkey_export($res, $privkey);
var_dump(openssl_error_string());
var_dump($privkey);
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDdh4FiOEtUZzvTSnlb/pJHjmsS9rOHQ7PU2WOO6ZHxYRIgK1NR
ReY7bBwEsT2ziUpx0b8K2Fx4m+XovzysB/lVrKbrdbHoVtGuJGZjYSXgFlCRTBu+
+TnAPUBF0LGJfxfVzjOkHzsh02lH3fvzFpFgRZRWs4za+vVzIweeOweYTwIDAQAB
AoGANZD5iS2BkZQw1COS+tqwtlrKq1g6CwAk8NfsCfeSkaJeRqcTS3iydjXrBHtz
JwGQnbsRDedJXOSdkE0Ft7dp44lijOAp1ngMDCKbabxVN2Go6b1d743HE0oIhFCC
Dv2B9kf9vzeYy+0/BVCs5i4iPoKXJJTSJrWoDxrFEJWSJIkCQQDwe39bOFHmQlxz
pbfT3DZ8Q311xFo6PewcAf7DTsikoPZANx0GQ41WdZj6/n4QVP4k+TnhZLiJzsH+
p3RUrx8tAkEA69LsgPrQMZ0YjsE2vjRLdJmp1916G1xqSLIVWDUPd9Ns+MA8YKTx
AQxC3dl3n+w24m7UlCThANlU/+2r0eoi6wJBAKIxGOdEJ/Cdp08UYNRR/Kl4t2A7
SwNnChylt9awByEJsqwCv9+epe+/Jqt6AzouqK31LXV4AgJn4W1IMWyAJA0CQCp0
6/2AqnD0PpKc+JUf5yHT9H8Xsb8xUTVLUopx6xoAp5LVUUl5CKbOpU85ss7JAUyc
9YrCZPv5JNN6379ILwcCQQDDcjtNnhQHukQQQ8iVL9YCrWzyCgplTz3uktueT+Dd
SDK1bCM4xDehfG3RKu1ZNx80Q0nzmi7FSPJ2md7qSIHc
-----END RSA PRIVATE KEY-----
"
openssl_csr_new()(可能还有更多)也有类似的行为。使用openssl_csr_new时,请确保第一个参数$dn不包含具有空值的密钥 例如,调用
openssl\u csr\u new0E06D06C:配置文件例程:NCONF\u get\u字符串:无值<?php
$dn = [
'CN' => 'example.com',
'ST' => '',
'C' => '',
'O' => '',
];
openssl_csr_new($dn, $privKey);
在我的配置(FreeBSD、libressl 2.8、从端口构建的php)中,[req]部分的条目“default_bits”被注释掉
通过启用此配置条目,此问题已得到解决。我已经回答了十几次这个问题,所以是时候投入2美分了:
由于(IMHO)PHP执行了一些向后的配置解析,否则一个有效/超级复杂的openssl.cnf可能会导致多达10条警告。在我的头撞到墙上之后,我做了一个垫片,这样OpenSSL和PHP可以和平共存
不要弄乱您的openssl.cnf,而是创建您自己的框架cnf,并在其中包含默认值,如下所示:
#PHP shim for an otherwise beautiful openssl.cnf
#Notes:
# duplicate OID definitions fail
# duplicate OID usage generates a warning in most cases
# All duplicate sections/values are overlayed: PHP > shim > include > default
RANDFILE = /dev/null #PHP warns if this doesn't exist
oid_file = /dev/null #PHP warns if this doesn't exist
#PHP warns if oid_section isn't in the default section
#PHP warns if oid_section is used in another section (only on initialization)
oid_section = php_oids #set an empty OID section
.include /etc/ssl/openssl.cnf #include our working conf
[ req ]
#included format differs from expected format
attributes = php_attr #openssl_csr_new()
#not set in include
encrypt_rsa_key = yes #overriden by encrypt_key
#uncomment to override include, or if otherwise unset
#req_extensions = php_req_extension #overridden by req_extensions
#x509_extensions = php_x509_extension #overridden by x509_extensions
#default_bits = 4096 #overridden by private_key_bits
#default_md = sha512 #overridden by digest_alg
#string_mask = utf8only #overridden by string_mask
#distinguished_name = php_distinguished_name #openssl_csr_new()
[ php_attr ] #empty attributes section
#challengePassword = password
#unstructuredName = i_prefer_structure
##NO *_min,*_max,*_default
##challengePassword = A challenge password (6-20 characters)
##challengePassword_min = 6
##challengePassword_max = 20
##challengePassword_default = this_wont_work
[ php_oids ] #empty OID section (no duplicates in this section)
#test_cert = 2.23.140.2.1
##NO short_id=long_id,id_num
##TEST = test_cert, 2.23.140.2.1
[ php_distinguished_name ] #empty DN section
#commonName = Common Name (CN)
#commonName_min = 1
#commonName_max = 63
#commonName_default = this_works
#streetAddress = this_also_works
#0.organizationalUnitName = this_actually_works
#ONLY THE FIRST OID IS USED
##1.organizationalUnitName = this_is_silently_discarded
[ php_x509_extension ] #empty x509 extension section
subjectKeyIdentifier = hash #at least one value required
#authorityKeyIdentifier = keyid:always
#keyUsage = critical, digitalSignature, cRLSign, keyCertSign
#basicConstraints = critical, CA:true, pathlen:0
#certificatePolicies = ia5org, test_cert
#authorityInfoAccess = @ocsp_ext
#crlDistributionPoints = @crl_ext
#tlsfeature = status_request_v2
[ php_req_extension ] #empty req extension section
subjectKeyIdentifier = hash #at least one value required
#keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage = critical, clientAuth, emailProtection
#basicConstraints = critical, CA:FALSE
#certificatePolicies = ia5org, test_cert
#authorityInfoAccess = @ocsp_ext
#crlDistributionPoints = crl_ext
#tlsfeature = status_request_v2
#nsComment = "OpenSSL 1.1.1c Generated Client Certificate"
<?php
//Serial can't be our desired 20 byte random hex:
// [bin2hex(random_bytes(20))] is ideal
// [8 bytes] PHP_INT_MAX
// file a bug report?
//NO subjectAltName !!!!!
//ini_set('openssl.cafile','/etc/ssl/certs/my-ca.crt');
//ini_set('openssl.capath','/etc/ssl/certs/');
$pass='password';
$capass='capass';
/* it's best to set all of these values in PHP to avoid confusion */
$config=[
/*'digest_alg' =>'sha512', /*default_md*/ /*openssl_get_md_methods()*/
/*'private_key_bits'=>8192, /*default_bits*/
/*'encrypt_key' =>true, /*encrypt_key,encrypt_rsa_key*/
/*'string_mask' =>'utf8only', /*string_mask - undocumented*/
'x509_extensions' =>'x509_ext_orig', /*x509_extensions*/
'req_extensions' =>'usr_cert_orig', /*req_extensions*/
'private_key_type' =>OPENSSL_KEYTYPE_EC,
'encrypt_key_cipher'=>OPENSSL_CIPHER_AES_256_CBC,
'curve_name' =>'secp384r1', /*openssl_get_curve_names()*/
'config' =>'php-openssl.cnf' /* export OPENSSL_CONF=php-openssl.cnf */
];
/* all values here OVERWRITE any default DN value */
$dn=[
/*'name'=>'', //FAILS- NO EMPTY VALUES*/
'OU'=>'override_original_OU',
'surname'=>'new_surname'
];
/* all values here ADD to the default. this array can be multi-dimensional */
$csrargs=[
'surname'=>'additional_surname',
'OU'=>['second_OU','third_OU']
];
$pkargs=[
/*'extracerts'=>'',*/
'friendly_name'=>'php-cert'
];
while($err=openssl_error_string()) echo("openssl_init- {$err}\n");
if($pkey=openssl_pkey_new($config)){ /* create a new private key */
while($err=openssl_error_string()) echo("openssl_pkey_new- {$err}\n");
$csr=openssl_csr_new($dn,$pkey,$config,$csrargs); /* generate a csr */
while($err=openssl_error_string()) echo("openssl_csr_new- {$err}\n");
print_r(openssl_csr_get_subject($csr,true)); /* show the dn */
/* sign our CSR using the largest random serial we can */
$x509=openssl_csr_sign($csr,'file:///etc/ssl/certs/int-ca.crt',['file:///etc/ssl/private/int-ca.key',$capass],30,$config,random_int(72057594037927936,PHP_INT_MAX));
while($err=openssl_error_string()) echo("openssl_csr_sign- {$err}\n");
if($x509!==false){
openssl_pkcs12_export_to_file($x509 ,'/tmp/phpcert.pfx',$pkey,$pass,$pkargs); /* export the keypair as pfx */
while($err=openssl_error_string()) echo("openssl_pkcs12_export_to_file- {$err}\n");
openssl_pkey_export_to_file($pkey,'/tmp/phpcert.key',$pass,$config); /* export the private key */
while($err=openssl_error_string()) echo("openssl_pkey_export_to_file- {$err}\n");
openssl_pkey_free($pkey); /* free memory */
openssl_x509_export_to_file($x509,'/tmp/phpcert.crt',true); /* export the signed certificate */
openssl_x509_free($x509); /* free memory */
while($err=openssl_error_string()) echo("openssl_x509_export_to_file- {$err}\n");
}else{
while($err=openssl_error_string()) echo("openssl_pkey_new- {$err}\n");
}
?>
除了[req]部分,您可以随意删除所有注释以缩小文件
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = g4CA
####################################################################
[ g4CA ]
dir = /home/g4apps/secure.g4apps.com/generator/certs
certs = $dir/
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/CA/g4CA.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/CA/g4CA.crl
private_key = $dir/CA/g4CA.key
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = md5
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ON
localityName = Locality Name (eg, city)
localityName_default = Toronto
0.organizationName = Organization Name (eg, company)
0.organizationName_default = G4 Apps
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = lmlane@gmail.com
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1
[ tsa_config1 ]
dir = ./demoCA
serial = $dir/tsaserial
crypto_device = builtin
signer_cert = $dir/tsacert.pem
certs = $dir/cacert.pem
signer_key = $dir/private/tsakey.pem
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
digests = md5, sha1
accuracy = secs:1, millisecs:500, microsecs:100
clock_precision_digits = 0
ordering = yes
tsa_name = yes
ess_cert_id_chain = no
这里有相应的PHP文件来测试这一点:
#PHP shim for an otherwise beautiful openssl.cnf
#Notes:
# duplicate OID definitions fail
# duplicate OID usage generates a warning in most cases
# All duplicate sections/values are overlayed: PHP > shim > include > default
RANDFILE = /dev/null #PHP warns if this doesn't exist
oid_file = /dev/null #PHP warns if this doesn't exist
#PHP warns if oid_section isn't in the default section
#PHP warns if oid_section is used in another section (only on initialization)
oid_section = php_oids #set an empty OID section
.include /etc/ssl/openssl.cnf #include our working conf
[ req ]
#included format differs from expected format
attributes = php_attr #openssl_csr_new()
#not set in include
encrypt_rsa_key = yes #overriden by encrypt_key
#uncomment to override include, or if otherwise unset
#req_extensions = php_req_extension #overridden by req_extensions
#x509_extensions = php_x509_extension #overridden by x509_extensions
#default_bits = 4096 #overridden by private_key_bits
#default_md = sha512 #overridden by digest_alg
#string_mask = utf8only #overridden by string_mask
#distinguished_name = php_distinguished_name #openssl_csr_new()
[ php_attr ] #empty attributes section
#challengePassword = password
#unstructuredName = i_prefer_structure
##NO *_min,*_max,*_default
##challengePassword = A challenge password (6-20 characters)
##challengePassword_min = 6
##challengePassword_max = 20
##challengePassword_default = this_wont_work
[ php_oids ] #empty OID section (no duplicates in this section)
#test_cert = 2.23.140.2.1
##NO short_id=long_id,id_num
##TEST = test_cert, 2.23.140.2.1
[ php_distinguished_name ] #empty DN section
#commonName = Common Name (CN)
#commonName_min = 1
#commonName_max = 63
#commonName_default = this_works
#streetAddress = this_also_works
#0.organizationalUnitName = this_actually_works
#ONLY THE FIRST OID IS USED
##1.organizationalUnitName = this_is_silently_discarded
[ php_x509_extension ] #empty x509 extension section
subjectKeyIdentifier = hash #at least one value required
#authorityKeyIdentifier = keyid:always
#keyUsage = critical, digitalSignature, cRLSign, keyCertSign
#basicConstraints = critical, CA:true, pathlen:0
#certificatePolicies = ia5org, test_cert
#authorityInfoAccess = @ocsp_ext
#crlDistributionPoints = @crl_ext
#tlsfeature = status_request_v2
[ php_req_extension ] #empty req extension section
subjectKeyIdentifier = hash #at least one value required
#keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage = critical, clientAuth, emailProtection
#basicConstraints = critical, CA:FALSE
#certificatePolicies = ia5org, test_cert
#authorityInfoAccess = @ocsp_ext
#crlDistributionPoints = crl_ext
#tlsfeature = status_request_v2
#nsComment = "OpenSSL 1.1.1c Generated Client Certificate"
<?php
//Serial can't be our desired 20 byte random hex:
// [bin2hex(random_bytes(20))] is ideal
// [8 bytes] PHP_INT_MAX
// file a bug report?
//NO subjectAltName !!!!!
//ini_set('openssl.cafile','/etc/ssl/certs/my-ca.crt');
//ini_set('openssl.capath','/etc/ssl/certs/');
$pass='password';
$capass='capass';
/* it's best to set all of these values in PHP to avoid confusion */
$config=[
/*'digest_alg' =>'sha512', /*default_md*/ /*openssl_get_md_methods()*/
/*'private_key_bits'=>8192, /*default_bits*/
/*'encrypt_key' =>true, /*encrypt_key,encrypt_rsa_key*/
/*'string_mask' =>'utf8only', /*string_mask - undocumented*/
'x509_extensions' =>'x509_ext_orig', /*x509_extensions*/
'req_extensions' =>'usr_cert_orig', /*req_extensions*/
'private_key_type' =>OPENSSL_KEYTYPE_EC,
'encrypt_key_cipher'=>OPENSSL_CIPHER_AES_256_CBC,
'curve_name' =>'secp384r1', /*openssl_get_curve_names()*/
'config' =>'php-openssl.cnf' /* export OPENSSL_CONF=php-openssl.cnf */
];
/* all values here OVERWRITE any default DN value */
$dn=[
/*'name'=>'', //FAILS- NO EMPTY VALUES*/
'OU'=>'override_original_OU',
'surname'=>'new_surname'
];
/* all values here ADD to the default. this array can be multi-dimensional */
$csrargs=[
'surname'=>'additional_surname',
'OU'=>['second_OU','third_OU']
];
$pkargs=[
/*'extracerts'=>'',*/
'friendly_name'=>'php-cert'
];
while($err=openssl_error_string()) echo("openssl_init- {$err}\n");
if($pkey=openssl_pkey_new($config)){ /* create a new private key */
while($err=openssl_error_string()) echo("openssl_pkey_new- {$err}\n");
$csr=openssl_csr_new($dn,$pkey,$config,$csrargs); /* generate a csr */
while($err=openssl_error_string()) echo("openssl_csr_new- {$err}\n");
print_r(openssl_csr_get_subject($csr,true)); /* show the dn */
/* sign our CSR using the largest random serial we can */
$x509=openssl_csr_sign($csr,'file:///etc/ssl/certs/int-ca.crt',['file:///etc/ssl/private/int-ca.key',$capass],30,$config,random_int(72057594037927936,PHP_INT_MAX));
while($err=openssl_error_string()) echo("openssl_csr_sign- {$err}\n");
if($x509!==false){
openssl_pkcs12_export_to_file($x509 ,'/tmp/phpcert.pfx',$pkey,$pass,$pkargs); /* export the keypair as pfx */
while($err=openssl_error_string()) echo("openssl_pkcs12_export_to_file- {$err}\n");
openssl_pkey_export_to_file($pkey,'/tmp/phpcert.key',$pass,$config); /* export the private key */
while($err=openssl_error_string()) echo("openssl_pkey_export_to_file- {$err}\n");
openssl_pkey_free($pkey); /* free memory */
openssl_x509_export_to_file($x509,'/tmp/phpcert.crt',true); /* export the signed certificate */
openssl_x509_free($x509); /* free memory */
while($err=openssl_error_string()) echo("openssl_x509_export_to_file- {$err}\n");
}else{
while($err=openssl_error_string()) echo("openssl_pkey_new- {$err}\n");
}
?>
希望这会有所帮助。这更多的是一个评论而不是一个答案,你不同意吗?答案是一个建议解决方案的评论,你不同意吗?:-)是的,但这是一个可能的解决方案;它没有为解决这种情况提供可靠的指导。:-)当可能出现N个错误时,我们只能给出可能的解决方案,而不是可靠的指导问题可能不仅仅是编码问题,可能是cnf创建不正确,OpenSSL安装损坏,PHP SSL支持问题或是一个简单的编码问题等等。所以我看不出你所说的有多重要。这不是问题所在。配置文件有默认的\u md=sha1,我将其更改为md5,但得到了相同的结果。从错误消息来看,openssl.cnfIs中似乎缺少或不正确的设置,这肯定是完整的错误消息?我以前看到过,在“no value”之后有更多的内容,指示发生错误的ini组。您是否尝试过使用相同的配置从命令行运行它,并查看是否可以从中获得更多信息?您肯定配置的路径是正确的,但是您是否仔细检查了权限,以确保它确实可以被读取?在我的openssl版本中没有--verbose
标志。我试过从命令行,它似乎工作。生成密钥可以工作,并且使用相同的配置。我已经修复了的配置文件的路径,以便密钥生成可以正常工作,所以不是这样。我的错误是-verbose
,我是在内存中工作的<代码>openssl ca-详细7491:error:20074002:BIO例程:FILE\u CTRL:system lib:bss\u FILE.c:358:无法加载CA私钥