问题
I use the following openssl command to genereate CSR:
openssl genrsa -out mytestdomain.key 2048
openssl req -new -sha256 -key mytestdomain.key -out mytestdomain.csr
I try to place a Security Certificate order from SoftLayer customer portal using the aboved mytestdomain.csr value under the "Enter Certificate Signing Rquest (CSR) , I got an error msg :
"Must match CSR Base64 encoded PEM Format ---BEGIN CERTIFICATE REQUEST--- Base64 Encoded String --End CERTIFICATE REQUEST ---
How to use openssl to generate Base64 encoded PEM CSR ?
If I enter a correct csr value from a sample file, I can see SoftLayer does a validation request as: https://control.softlayer.com/security/sslorders/validatecsr
and the response shows valid email address, country such as : {"success":true,"result":{"X":"XX","xx":"XXXX, Europe","L":"XXXX City","O":"My Test","OU":"VPN","XX":"mytest.com","emailAddress":"test@mytest.com"}}
Question 2: Which method can I use to validate and extract information from CSR, similar to what the SoftLayer customer portal use?
回答1:
Regarding to your questions:
Question 1: I followed the steps in this link and it works successfully for me:
https://www.instantssl.com/ssl-certificate-support/csr-generation/ssl-certificate-mod-ssl.html
This will generate .key and .csr files. You should specify the .csr file content for CSR.
Question 2: The SoftLayer_Security_Certificate_Request::validateCsr method will help to validate the CSR.
Here a PHP example:
<?php
/**
* Validate Csr
*
* This script allows you to validate a Certificate Signing Request (CSR) required
* for an SSL certificate with the certificate authority (CA). This method sends the CSR,
* the length of the subscription in months, the certificate type, and the server type for
* validation against requirements of the CA. Returns true if valid.
*
* Important manual pages:
* @see http://sldn.softlayer.com/reference/services/SoftLayer_Security_Certificate_Request/validateCsr
*
* @license <http://sldn.softlayer.com/wiki/index.php/license>
* @author SoftLayer Technologies, Inc. <sldn@softlayer.com>
*/
require_once '\vendor\autoload.php';
/**
* Your SoftLayer API username and apiKey
* @var string
* @var string
*/
$apiUsername = 'set me';
$apiKey = 'set me';
/**
* The encoded CSR data string
* @var string
*/
$csr = "-----BEGIN CERTIFICATE REQUEST-----
MIIC9TCCAd0CAQAwga8xCzAJBgNVBAYTAkJPMRMwEQYDVQQIDApDb2NoYWJhbWJh
MRMwEQYDVQQHDApDb2NoYWJhbWJhMRUwEwYDVQQKDAxSdWJlckNvbXBhbnkxFTAT
BgNVBAsMDHJ1YmVyU2VjdGlvbjEdMBsGA1UEAwwUd3d3LnJ1YmVyY3VlbGxhci5j
b20xKTAnBgkqhkiG9w0BCQEWGnJ1YmVyLmN1ZWxsYXJAamFsYXNvZnQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw3WFBDFbqvk9O/6Wd+z0MsQQ
6WS5Vxw5iMVlo6J4xpoXqzA0FhuROv7IuJQ0rNvhDqTisMBLrUoDgvS6UgqM8RM9
DPNgGSdTVp0Z1Mt/qTavUPUfyT23msh5/Oqlo6/z+u23euKfTg4qhuVV7PG0eY6U
/GDumtmCk8+b33xzIBtLbfnB3119vRff9DmB6R7bSCzg+e8JnRycpSMKA8Egkw3N
O4k0mpvj5jR+FApFlTfKXcQU5xdEQYn1pe5+QLwSKJWP9iGEyiyFbvFVsYlKxKvh
RYEwuCqPAZBoWfO8zT4VPu2NO8QjDB55LX5xNAq2ZvHekbtWUtAzMeD6h2O04wID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKcYJHvIvYzD+XssGHbfbyK7/arjGgyB
YyA5dx2DvwvdUGpIQyKCWyLyk10brObGoBGMtt5raxqI19UqnOpsOAJ5lF3fsM0B
mNQTAlsen/Ove/K+40Ycg1tYjLZN8vHebKvLyjENdeX4HgN+cTK030iUQq+ObwjB
te4UZsDhWlMijMay5gOcVZLI2D9uQzzMBgfymuuwync5m0ia1lmbNOmF9j9bNC5G
uN/rDbzGG4WEzbFmj/ERYgx7UGH9WkvEQA2+Dhj26SC3K9zgYkKMbaF3Kx49cBxj
xVtZtg+DLTQ8Ee5R/wB0YfGw1W3gYcVUBL/EZWv7PuqzKnBro09iuHA=
-----END CERTIFICATE REQUEST-----";
/**
* The product item identifier for the type of SSL certificate
* E.g: Item Id: 965 Description: RapidSSL - 2 year
* @var int
*/
$itemId = 965;
/**
* The type of server in which the certificate will be installed
* @var string
*/
$serverType = "apache2";
/**
* The length of the certificate subscription desired in months. Typically 12 or 24 months
* @var int
*/
$validityMonths = 24;
// Create a SoftLayer API client object for "SoftLayer_Security_Certificate_Request" service
$client = \SoftLayer\SoapClient::getClient('SoftLayer_Security_Certificate_Request', null, $apiUsername, $apiKey);
try {
$result = $client->validateCsr($csr, $validityMonths, $itemId, $serverType);
print_r($result);
} catch (\Exception $e) {
die('Unable to validated CSR: ' . $e->getMessage());
}
I hope this information can help you.
回答2:
I'm not sure the types of CSR that are supported by SoftLayer, you can submit a ticket if you want more information about it. However, if you want to validate the CSR, you can try with this: SSL Decoder, it is based on PHP. Also I extracted a little part of code from there, to get the result that you are expecting, try with this:
<?php
/**
* Function get_sans_from_csr
*/
function get_sans_from_csr($csr) {
global $random_blurp;
global $timeout;
$sans = array();
//openssl_csr_get_subject doesn't support SAN names.
$filename = "C:/Csr/tmp/csr-" . $random_blurp . "-" . gen_uuid() . ".csr.pem";
$write_csr = file_put_contents($filename, $csr);
if($write_csr !== FALSE) {
$openssl_csr_output = trim(shell_exec("timeout " . $timeout . " openssl req -noout -text -in " . $filename . " | grep -e 'DNS:' -e 'IP:'"));
}
unlink($filename);
if($openssl_csr_output) {
$csr_san_dns = explode("DNS:", $openssl_csr_output);
$csr_san_ip = explode("IP:", $openssl_csr_output);
if(count($csr_san_dns) > 1) {
foreach ($csr_san_dns as $key => $value) {
if($value) {
$san = trim(str_replace(",", "", str_replace("DNS:", "", $value)));
array_push($sans, $san);
}
}
}
if(count($csr_san_ip) > 1) {
foreach ($csr_san_ip as $key => $value) {
if($value) {
$san = trim(str_replace(",", "", str_replace("IP:", "", $value)));
array_push($sans, $san);
}
}
}
}
if(count($sans) >= 1) {
return $sans;
}
}
/**
* Function csr_parse_json
*/
function csr_parse_json($csr) {
// if csr or cert is pasted in form this function parses the csr or it send the cert to cert_parse.
global $random_blurp;
global $timeout;
$result = array();
if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) {
$cert_data = openssl_csr_get_public_key($csr);
$cert_details = openssl_pkey_get_details($cert_data);
$cert_key = $cert_details['key'];
$cert_subject = openssl_csr_get_subject($csr);
$result["subject"] = $cert_subject;
$result["key"] = $cert_key;
$result["details"] = $cert_details;
if ($cert_details) {
$result["csr_pem"] = $csr;
$sans = get_sans_from_csr($csr);
if(count($sans) > 1) {
$result["csr_sans"] = $sans;
}
}
} elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) {
$result = cert_parse_json($csr, null, null, null, null, true);
} else {
$result = array("error" => "data not valid csr");
}
return $result;
}
/**
* Function gen_uuid
*/
function gen_uuid() {
//from stack overflow.
return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
// 32 bits for "time_low"
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
// 16 bits for "time_mid"
mt_rand( 0, 0xffff ),
// 16 bits for "time_hi_and_version",
// four most significant bits holds version number 4
mt_rand( 0, 0x0fff ) | 0x4000,
// 16 bits, 8 bits for "clk_seq_hi_res",
// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
mt_rand( 0, 0x3fff ) | 0x8000,
// 48 bits for "node"
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )
);
}
// Define your csr
$data = csr_parse_json("-----BEGIN CERTIFICATE REQUEST-----
MIIC9DCCAdwCAQAwga4xCzAJBgNVBAYTAkJPMRMwEQYDVQQIDApDb2NoYWJhbWJh
MRMwEQYDVQQHDApDb2NoYWJhbWJhMRkwFwYDVQQKDBBSdWJlclRlc3RDb21wYW55
MRAwDgYDVQQLDAdzZWN0aW9uMR0wGwYDVQQDDBR3d3cucnViZXJjdWVsbGFyLmNv
bTEpMCcGCSqGSIb3DQEJARYacnViZXIuY3VlbGxhckBqYWxhc29mdC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDw8QIBguC4qRsvb3I9K/2qO50g
zB3hEwb0DOCWa5LXUgpq3SHYohtlEdneUiRiYtn4ggO0NjZ4f4hfvQ9iZ10zH8/v
W7DeElvdJBP0dHEInuhKGP6wjieR2IkkPzsOTCeVJ6FOnxsC192qgXG0O8WjquKh
g6NZKdW0oLtl1/mWFixmWFwcjh7IUWZ/J0NpAlHBtDpYILRD84rHv1XK9GE1JUfO
euSwq6K0jRmK388Xt37bxFj5iMMpHXI55+LIpA9ZoV9NffCiGoohwp45QgEXdkfm
1NBGVXiGaQzn1HgnpdnYR05tAScOkqJ4yRkCUatE8q3F9+u8KM2e+mIxHeflAgMB
AAGgADANBgkqhkiG9w0BAQsFAAOCAQEA3TRZYZuhsQHmZ8anuMHawCcu6He5g3Yg
hpV4O06Knzblvdy9OvK1+jEPUEpTUGgyty0kU5WCru8+FL8+2/ycrUN8bisYDHlG
7KuzOuMxsz2/U/Vj3KAerv+/sIv2oDUN7otjA5smK6769gO1NjPPSXe/nDOPh3WC
YeRYRkLqCuTG6GfqmMK/o4vHrYXyxu6apvMId6PFmAEHqMZorebo8NyqvMA3pT1D
p+LuLZsqZWNsfX9iN31+PNCWvVKaDzF3z9vWmaDV61jiteRt0gOzun9GnRV2QRpS
5GjdY64A7dpB7VuVsnXePb5RbeWQQtMwwhuW01TzzlwB9yHwlel/hQ==
-----END CERTIFICATE REQUEST-----");
// Print whole result
print_r($data);
// Print "subject" property from the result
print_r($data["subject"]);
?>
All the methods used in the script were extracted from: SSL Decoder
来源:https://stackoverflow.com/questions/34427466/softlayer-api-order-security-certificate-csr-validation