Adding CA Certificates for the PHP Engine

PKI Tutorials - Herong's Tutorial Examples

∟PHP Scripts Communicating with HTTPS Servers

∟Adding CA Certificates for the PHP Engine

This section provides a tutorial example on how to add self-signed certificates as trusted CA certificates for the PHP engine.

If a PHP application fails to connect to remote computer because it uses a self-signed certificate, you can define it locally as a trusted CA certificate in several ways.

1. Add the self-signed certificate to the OS trusted CA certificate location. On a Linus/Mac computer, you can put it the /etc/ssl/certs directory. You may want to call the openssl_get_cert_locations() function to see if the PHP engine uses that directory.

2. Add the self-signed certificate to a special directory like /share/trusted_certs where you store all CA certificates. Then define this directory as the "capath" in the php.ini file for OpenSSL module. Remember to keep "cafile" empty, since it takes higher precedence that "capath".

herong$ sudo vi /etc/php.ini 

openssl.cafile=
openssl.capath=/share/trusted_certs

3. Keep the self-signed certificate in your home directory. Then modify you PHP application to take it through the the "cafile" SSL stream context option. See a full PHP script example in the next tutorial.

$context = stream_context_create(array(
  'ssl' => array(
    'verify_peer' => true,
    'cafile' => '/home/herong/my-self-signed.crt'
  )
));

# Provide $context to the remote connection function call

If the self-signed server certificate is not defined as a trusted CA certificate, you will get the "certificate verify failed" error as mentioned in the last tutorial.

By the way, you can verify the self-signed server certificate with the "openssl s_client" command line tool. For example, if you provide trusted certificate matches the server certificate, you should see the "Verify return code: 0 (ok)".

herong$ openssl s_client -connect 192.168.1.100:465 \
  -CAfile my-self-signed.crt 

...
subject=.../CN=mail.herong.home/...
issuer=.../CN=mail.herong.home/...
---
No client certificate CA names sent
---
SSL handshake has read 2822 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: F805A2978EB4713AB4C246861ED33DD989A663F5E6E2D800F7453FA...
    Session-ID-ctx: 
    Master-Key: 0C81F14776E166DFEC349D8155DEAE33A8DB1F66421C31E4F6D5321...
    Key-Arg   : None
    Start Time: 1653604339
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

...

If you do not provide any trusted certificates or a wrong certificate, you will see the "Verify return code: 18 (self signed certificate)".

herong$ openssl s_client -connect 192.168.1.100:465 

...
subject=.../CN=mail.herong.home/...
issuer=.../CN=mail.herong.home/...
---
No client certificate CA names sent
---
SSL handshake has read 2822 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: BB678334A040939851C9C29C3251B3894646B10BF6520F4CD7F4895...
    Session-ID-ctx: 
    Master-Key: 83FDB88221FD0960A9BF1BB8015560F347B0315EE05AD0F47444259...
    Key-Arg   : None
    Start Time: 1653605003
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

...