PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Adding CA Certificates for the PHP Engine
This section provides a tutorial example on how to add self-signed certificates as trusted CA certificates for the PHP engine.
If a PHP application fails to connect to remote computer because it uses a self-signed certificate, you can define it locally as a trusted CA certificate in several ways.
1. Add the self-signed certificate to the OS trusted CA certificate location. On a Linus/Mac computer, you can put it the /etc/ssl/certs directory. You may want to call the openssl_get_cert_locations() function to see if the PHP engine uses that directory.
2. Add the self-signed certificate to a special directory like /share/trusted_certs where you store all CA certificates. Then define this directory as the "capath" in the php.ini file for OpenSSL module. Remember to keep "cafile" empty, since it takes higher precedence that "capath".
herong$ sudo vi /etc/php.ini openssl.cafile= openssl.capath=/share/trusted_certs
3. Keep the self-signed certificate in your home directory. Then modify you PHP application to take it through the the "cafile" SSL stream context option. See a full PHP script example in the next tutorial.
$context = stream_context_create(array( 'ssl' => array( 'verify_peer' => true, 'cafile' => '/home/herong/my-self-signed.crt' ) )); # Provide $context to the remote connection function call
If the self-signed server certificate is not defined as a trusted CA certificate, you will get the "certificate verify failed" error as mentioned in the last tutorial.
By the way, you can verify the self-signed server certificate with the "openssl s_client" command line tool. For example, if you provide trusted certificate matches the server certificate, you should see the "Verify return code: 0 (ok)".
herong$ openssl s_client -connect 192.168.1.100:465 \ -CAfile my-self-signed.crt ... subject=.../CN=mail.herong.home/... issuer=.../CN=mail.herong.home/... --- No client certificate CA names sent --- SSL handshake has read 2822 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: F805A2978EB4713AB4C246861ED33DD989A663F5E6E2D800F7453FA... Session-ID-ctx: Master-Key: 0C81F14776E166DFEC349D8155DEAE33A8DB1F66421C31E4F6D5321... Key-Arg : None Start Time: 1653604339 Timeout : 300 (sec) Verify return code: 0 (ok) ...
If you do not provide any trusted certificates or a wrong certificate, you will see the "Verify return code: 18 (self signed certificate)".
herong$ openssl s_client -connect 192.168.1.100:465 ... subject=.../CN=mail.herong.home/... issuer=.../CN=mail.herong.home/... --- No client certificate CA names sent --- SSL handshake has read 2822 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: BB678334A040939851C9C29C3251B3894646B10BF6520F4CD7F4895... Session-ID-ctx: Master-Key: 83FDB88221FD0960A9BF1BB8015560F347B0315EE05AD0F47444259... Key-Arg : None Start Time: 1653605003 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ...
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
►PHP Scripts Communicating with HTTPS Servers
Configuring PHP OpenSSL on Windows
Testing OpenSSL with file_get_contents()
SSL Context Options for OpenSSL
Asking OpenSSL to Verify Server's Certificate
OpenSSL Failing to Verify Server's Certificate
Multiple CA Certificates in a Single File
Testing OpenSSL with fsockopen()
►Adding CA Certificates for the PHP Engine
Testing OpenSSL with stream_socket_client()
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3