我使用以下脚本生成新的签名证书:
<?php
error_reporting(E_ALL);
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new();
// Generate a certificate signing request
$dn = array(
"countryName" => "US",
"stateOrProvinceName" => "Atlantis",
"localityName" => "NeverEverLand",
"organizationName" => "only me",
"organizationalUnitName" => "blah",
"commonName" => "bleh",
"emailAddress" => "test@test.com"
);
$csr = openssl_csr_new($dn, $privkey);
$cacert = file_get_contents('ca.crt');
echo $cacert . "<BR/>";
echo "<BR/>";
$ca_key = file_get_contents('ca.key');
$cakey = array($ca_key, "mysecretpass");
echo $ca_key . "<BR/>";
echo "<BR/>";
$sscert = openssl_csr_sign($csr, $cacert, $cakey, 365);
var_dump($sscert);
echo "<BR/>";
echo "<BR/>";
openssl_pkey_export($privkey, $pkeyout, "mypassword"); var_dump($pkeyout);
echo "<BR/>";
echo "<BR/>";
openssl_csr_export($csr, $csrout); var_dump($csrout);
echo "<BR/>";
echo "<BR/>";
openssl_x509_export($sscert, $certout); var_dump($certout);
echo "<BR/>";
echo "<BR/>";
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
?>
正如您在输出中看到的,它可以读取 ca.crt 和 ca.key。通行证也是正确的(在上面的源中更改)。
这是脚本的输出:
-----BEGIN CERTIFICATE----- MIIFGDCCAwACCQCO584jngEQdjANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV ... XZ8YaIOkiV4pEiR5 -----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,E616BBF003C1FA9D ... VCPNIOlGzmKUvDn0iMKE0KRmN8o3ip8oy4HKPZmuh4h+qznZdNF/pBTurqcNVN/P -----END RSA PRIVATE KEY-----
bool(false)
string(1834) "-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBX0RFXQVx+ICAggA Bfw= -----END ENCRYPTED PRIVATE KEY----- "
string(1045) "-----BEGIN CERTIFICATE REQUEST----- MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhBdGxhbnRpczEW zZL71nx/8MgG8hyg63vRRJewb/cCIt1q9A4SwGB9iDe75CbR3ij3jHMftXUfvYhV -----END CERTIFICATE REQUEST----- "
NULL
所以命令
openssl_csr_sign($csr, $cacert, $cakey, 365);
即使所有输入参数都有效,也返回 FALSE。
使用 CentOS 6.4 / Apache/2.2.15 (CentOS) / mod_ssl/2.2.15