4

我使用以下脚本生成新的签名证书:

<?php

error_reporting(E_ALL);

// Generate a new private (and public) key pair
$privkey = openssl_pkey_new();

// Generate a certificate signing request

$dn = array(
    "countryName" => "US",
    "stateOrProvinceName" => "Atlantis",
    "localityName" => "NeverEverLand",
    "organizationName" => "only me",
    "organizationalUnitName" => "blah",
    "commonName" => "bleh",
    "emailAddress" => "test@test.com"
);

$csr = openssl_csr_new($dn, $privkey);


$cacert = file_get_contents('ca.crt');
echo $cacert . "<BR/>";
echo "<BR/>";
$ca_key = file_get_contents('ca.key');
$cakey = array($ca_key, "mysecretpass");
echo $ca_key . "<BR/>";
echo "<BR/>";

$sscert = openssl_csr_sign($csr, $cacert, $cakey, 365);

var_dump($sscert);
echo "<BR/>";
echo "<BR/>";


openssl_pkey_export($privkey, $pkeyout, "mypassword"); var_dump($pkeyout);
echo "<BR/>";
echo "<BR/>";

openssl_csr_export($csr, $csrout); var_dump($csrout);
echo "<BR/>";
echo "<BR/>";
openssl_x509_export($sscert, $certout); var_dump($certout);
echo "<BR/>";
echo "<BR/>";

while (($e = openssl_error_string()) !== false) {
    echo $e . "\n";
}
?>

正如您在输出中看到的,它可以读取 ca.crt 和 ca.key。通行证也是正确的(在上面的源中更改)。

这是脚本的输出:

-----BEGIN CERTIFICATE----- MIIFGDCCAwACCQCO584jngEQdjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV ... XZ8YaIOkiV4pEiR5 -----END CERTIFICATE----- 

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,E616BBF003C1FA9D ... VCPNIOlGzmKUvDn0iMKE0KRmN8o3ip8oy4HKPZmuh4h+qznZdNF/pBTurqcNVN/P -----END RSA PRIVATE KEY----- 

bool(false) 

string(1834) "-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBX0RFXQVx+ICAggA Bfw= -----END ENCRYPTED PRIVATE KEY----- " 

string(1045) "-----BEGIN CERTIFICATE REQUEST----- MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhBdGxhbnRpczEW zZL71nx/8MgG8hyg63vRRJewb/cCIt1q9A4SwGB9iDe75CbR3ij3jHMftXUfvYhV -----END CERTIFICATE REQUEST----- " 

NULL 

所以命令

openssl_csr_sign($csr, $cacert, $cakey, 365);

即使所有输入参数都有效,也返回 FALSE。

使用 CentOS 6.4 / Apache/2.2.15 (CentOS) / mod_ssl/2.2.15

4

0 回答 0