**Okay, It's become clear that this issue is an issue related with the setup of openssl on the Linux server and how to properly setup a custom openssl.cnf file. I am not looking for anything complicated but I need a front-end to be able to create self-signed client certificates for authentication to my webservice. So I need to be able to use my CA to create intermediate CAs for client companies and then allow them a secure interface to issue client certificates for their employees. Logins are based on whether you belong to a specific intermediate CA and that your certificate or the intermediate CA hasn't be revoked.
For anyone wondering, we can use self-signed certificates because they are only used for our server to authenticate users and since we issued them, we trust them. Also it would be way too expensive for a startup to establish themselves as an intermediate CA through the commercial offerings AFAIK. Microsoft can do that, we can't. Our webserver itself uses a CA signed certificate.
I know that php code for setting this kind of thing up is straight forward but what isn't is how to properly setup openssl. I have tried several different examples on the net and none of them seem to work for my setup and they all seem to be different. One box was fresh install of Centos 6.2 and I am still getting errors.
Can anyone point me in the proper direction for setting up openssl, apache2 and php so that I can use these php libraries without errors? Our virtual server is using debian squeeze and I have full control of software installed.
Thanks.
open_pkey_new() is returning errors such as error:0E06D06C:configuration file routines:NCONF_get_string:no value. Yet I am passing a path to a openssl.cnf file so I don't know why I'm still getting this problem. Here's my relevent code
<?php
$cwd=getcwd();
$distname= array(
"countryName" => "CA",
"stateOrProvinceName" => "Ontario",
"localityName" => "Toronto",
"organizationName" => "G4 Apps",
"organizationalUnitName" => "Development",
"commonName" => "Mark Lane",
"emailAddress" => "nobody at gmail.com"
);
$password = 'seanix';
$cacert_location=$cwd."/certs/CA/g4CA.crt";
$cakey_location=$cwd."/certs/CA/g4CA.key";
$cnf=$cwd.'/certs/myopenssl.cnf';
$configArgs = array(
'config' =>$cnf
);
?>
Here's my function that makes the keys.
<?php
function makekey($password,$configArgs) {
$key= openssl_pkey_new($configArgs);
//print_r($configArgs);
openssl_pkey_export($key, $pkeyout,$password);
if (($e=openssl_error_string()) ==false) return $pkeyout;
else {
do {
echo $e . "<BR>";
} while($e=openssl_error_string());
return -1;
}
}
?>
I've tried relative paths too to the configfile and it still won't work. Looks like it might be the host providers ssl setup. I switched to a local virtual machine and I got the key to generate but now I'm getting the same error when creating a csr.
error:0E06D06C:configuration file routines:NCONF_get_string:no value
<?php
function newcsr($distname,$key,$configArgs) {
$csr=openssl_csr_new($distname,$key,$configArgs);
openssl_csr_export($csr, $csrout);
if (($e=openssl_error_string()) ==false) return $csrout;
else {
do {
echo $e . "<BR>";
} while($e=openssl_error_string());
return -1;
}
}
?>
openssl.conf This looks to be an error in openssl.cnf so I've included the file.
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = g4CA
####################################################################
[ g4CA ]
dir = /home/g4apps/secure.g4apps.com/generator/certs
certs = $dir/
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/CA/g4CA.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/CA/g4CA.crl
private_key = $dir/CA/g4CA.key
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = md5
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ON
localityName = Locality Name (eg, city)
localityName_default = Toronto
0.organizationName = Organization Name (eg, company)
0.organizationName_default = G4 Apps
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = lmlane@gmail.com
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1
[ tsa_config1 ]
dir = ./demoCA
serial = $dir/tsaserial
crypto_device = builtin
signer_cert = $dir/tsacert.pem
certs = $dir/cacert.pem
signer_key = $dir/private/tsakey.pem
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
digests = md5, sha1
accuracy = secs:1, millisecs:500, microsecs:100
clock_precision_digits = 0
ordering = yes
tsa_name = yes
ess_cert_id_chain = no
Stack trace strace php getkeystore.php &> stack.trace
I tried this on my Mac and a fresh install of CentOS 6.3 and I'm getting the same error. I get my CentOS packages from IUS. It's weird though because even though I'm getting this message, the key is actually being generated.
The following code:
$res = openssl_pkey_new();
openssl_pkey_export($res, $privkey);
var_dump(openssl_error_string());
var_dump($privkey);
Gives me the following output:
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDdh4FiOEtUZzvTSnlb/pJHjmsS9rOHQ7PU2WOO6ZHxYRIgK1NR
ReY7bBwEsT2ziUpx0b8K2Fx4m+XovzysB/lVrKbrdbHoVtGuJGZjYSXgFlCRTBu+
+TnAPUBF0LGJfxfVzjOkHzsh02lH3fvzFpFgRZRWs4za+vVzIweeOweYTwIDAQAB
AoGANZD5iS2BkZQw1COS+tqwtlrKq1g6CwAk8NfsCfeSkaJeRqcTS3iydjXrBHtz
JwGQnbsRDedJXOSdkE0Ft7dp44lijOAp1ngMDCKbabxVN2Go6b1d743HE0oIhFCC
Dv2B9kf9vzeYy+0/BVCs5i4iPoKXJJTSJrWoDxrFEJWSJIkCQQDwe39bOFHmQlxz
pbfT3DZ8Q311xFo6PewcAf7DTsikoPZANx0GQ41WdZj6/n4QVP4k+TnhZLiJzsH+
p3RUrx8tAkEA69LsgPrQMZ0YjsE2vjRLdJmp1916G1xqSLIVWDUPd9Ns+MA8YKTx
AQxC3dl3n+w24m7UlCThANlU/+2r0eoi6wJBAKIxGOdEJ/Cdp08UYNRR/Kl4t2A7
SwNnChylt9awByEJsqwCv9+epe+/Jqt6AzouqK31LXV4AgJn4W1IMWyAJA0CQCp0
6/2AqnD0PpKc+JUf5yHT9H8Xsb8xUTVLUopx6xoAp5LVUUl5CKbOpU85ss7JAUyc
9YrCZPv5JNN6379ILwcCQQDDcjtNnhQHukQQQ8iVL9YCrWzyCgplTz3uktueT+Dd
SDK1bCM4xDehfG3RKu1ZNx80Q0nzmi7FSPJ2md7qSIHc
-----END RSA PRIVATE KEY-----
"
I suspect it being a bug in PHP. Some sort of openssl configuration PHP is getting hung up on. I found a bug report about this on php.net, but it "started working" for the user so the bug was closed.
As an alternative, you can check out phpseclib, a library purely written in PHP.
Check if your openssl.cnf has
default_md = md5
in it, else add it to the cnf file and try again if that helps.
When using openssl_csr_new make sure the first parameter $dn does not contain keys with empty values.
For example, this call to openssl_csr_new would trigger the error
0E06D06C:configuration file routines:NCONF_get_string:no value
<?php
$dn = [
'CN' => 'example.com',
'ST' => '',
'C' => '',
'O' => '',
];
openssl_csr_new($dn, $privKey);
Based on the bug @Luke mentioned, my conclusion would be:
openssl_pkey_new() doesn't return a value and therefore is "FALSE".
var_dump() just says it returns an OpenSSL key.
"So it works - "NCONF_get_string:no value" is only some kind of notice." - vrana@php.net
openssl_csr_new() (and maybe more) have a similar behavior.
In my configuration (FreeBSD, libressl 2.8, php built from ports) in the section [ req ] the entry "default_bits" was commented out.
By enabling this configuration entry this issue was resolved.
来源:https://stackoverflow.com/questions/12060865/openssl-pkey-new-throwing-errors-proper-openssl-cnf-setup-for-php