Using openssl_pkcs12_export_to_file() - php

So I have read the PHP manual (HERE) but I'm not sure if it's does exactly what I think it is supposed to do. I need to convert a PFX certificate to a PEM. My question is, does either the above mentioned method or the openssl_pkcs12_export() method do what I need, or does it simply just export the information of the pkcs12 file?
To complete what I need to do, would I need to use the exec() method and use the appropriate openssl command, such as the one listed below:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Unless I am mistaken in your needs... You are just slightly off...
pkcs12 -in certificate.pfx -out certificate.pem -clcerts
You may also need to
pkcs12 -in certificate.pfx -out ca-certificate.pem -cacerts
-clcerts is only for client certificates
-cacerts is for non-client

Related

create a pdf certificate valid key for TCPDF

i try to create a signature certifications key and use him with this 3Party packege
https://github.com/tecnickcom/TCPDF
but all the time i get a InValid signature certifications
on adobe reader
i need a global signature certifications
i try to create a key from my mac terminal:
generate new .crt file, it's contained certificate & private key
openssl req -x509 -nodes -days 365000 -newkey rsa:1024 -keyout filename.crt -out filename.crt
convert .crt to binar .p12 file
openssl pkcs12 -export -in tcpdf.crt -out filename.p12
get private key from .p12 file, it will ask for passphrase/password, so the generated private key will be encrypted
openssl pkcs12 -in filename.p12 -nocerts -out filename.key
get certificate from .p12 file
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out filename.crt
i try this to from adobe
https://helpx.adobe.com/il_he/acrobat/using/digital-ids.html
but im all the time get Invalid in adobe reader
like this:
enter image description here
how to create Valid signature certifications

.P12 Certificate in PHP cURL to an endpoint [duplicate]

i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
any hints? or, any alternatives to curl? the solution should be commandline based.
I think you have already resolved but I had the same problem. I answer to share my solution.
If you have a .p12 file your approach is right.
First of all, you have to get the cert and the key separated from the p12 file.
As an example, if you have a mycert.p12 file execute
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
Then you have to make the call to your url. For instance, assume that you want to get the WSDL of a specific web service
curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl
If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.
Check if you have a newer curl. Newer versions can handle PKCS12 outright.
Tangentially, quote the password, or individually escape all shell metacharacters.
curl --cert-type P12 --cert cert.p12:'password' https://yoursite.com
bioffes answer is correct.
He was suggesting to do:
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
For some reason that didn't work for me. I was getting:
curl could not open PKCS12 file
I just ended up exporting the p12 file without a password and ended up just using the following format.
curl --cert-type P12 --cert cert.p12 https://yoursite.com
You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and scroll down til you find the cert-type. Mine was like this:
--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.
If this option is used several times, the last one will be used.
(I don't believe cmmd + F works to text not visible in the terminal. So you have to scroll down.

Encrypt file using certificate resulting in 'Expecting PUBLIC KEY' [duplicate]

I am using the below openssl command for storing my public key into a .pem file.
openssl> x509 -in E:/mycert.pem -pubkey -out E:/mypubkey.pem
But when i try to use this command, it is storing the whole certificate info in the mypubkey.pem file.
I have seen that i can save my public key using
openssl> x509 -pubkey -noout -in cert.pem > pubkey.pem
But it is throwing an error. I can't use ">" operator.
There are a couple ways to do this.
First, instead of going into openssl command prompt mode, just enter everything on one command line from the Windows prompt:
E:\> openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
If for some reason, you have to use the openssl command prompt, just enter everything up to the ">". Then OpenSSL will print out the public key info to the screen. You can then copy this and paste it into a file called pubkey.pem.
openssl> x509 -pubkey -noout -in cert.pem
Output will look something like this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO
3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX
7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS
j+hwUU3RiWl7x3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd
OrUZ/wK69Dzu4IvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ
5I1jR4g8aYPL/ke9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl
FQIDAQAB
-----END PUBLIC KEY-----
if it is a RSA key
openssl rsa -pubout -in my_rsa_key.pem
if you need it in a format for openssh , please see Use RSA private key to generate public key?
Note that public key is generated from the private key and ssh uses the identity file (private key file) to generate and send public key to server and un-encrypt the encrypted token from the server via the private key in identity file.
I am not sure why the other answers have such high upvotes. They do not solve the two problems presented in the question. A key point to the problem is the openssl command interpreter is being used and not the shell prompt.
Problem #1 - the certificate is written with the public key.
I am using the below openssl command for storing my public key into a
.pem file.
openssl> x509 -in E:/mycert.pem -pubkey -out E:/mypubkey.pem But when
i try to use this command, it is storing the whole certificate info in
the mypubkey.pem file.
The solution is to add the command argument -noout.
Problem #2 - ">" operator is not supported:
openssl> x509 -pubkey -noout -in cert.pem > pubkey.pem
But it is throwing an error. I can't use ">" operator.
The solution is to add the -out <filename> command parameter.
Solution:
openssl> x509 -pubkey -in cert.pem -noout -out pubkey.pem

PHP escapeshellarg messing up my password

$passphrase = "';__!!??()[]";
$passphrase = escapeshellarg($passphrase);
shell_exec("openssl\openssl.exe genrsa -des3 -passout pass:${passphrase} -out test.key 2048");
#Here the password works
echo system("openssl\openssl.exe rsa -in test.key -passin pass:${passphrase} -noout -text");
This code works fine to generate a key with openssl. I can also read the key without any problem. But when I want to read the key from the command line I'm unable to decrypt it. I use exactly the same command as in the code. The only difference is, that I copy the passphrase to the command line as it is written in the code. This always fails with a bad decrypt error.
How can I fix this issue?
Edit: To make this more clear. This does not work when run from terminal:
openssl\openssl.exe rsa -in test.key -passin pass:"';__!!??()[]" -noout -text
Why don't you use PHP's OpenSSL library instead of the shell?
http://php.net/manual/en/ref.openssl.php

How to extract certificate from p7b file in PHP

In command line I can successfully extract all 3 certificates from my p7b file:
openssl pkcs7 -in mscep.p7b -inform der -print_certs -outform PEM -out certfile.pem
Is there a way to do it also in PHP? I tried to search around , but only openssl_pkcs7_.... functions dealt with encryption and decryption.
Basically I need to extract CA root certificate from the chain I get back from MSCEP

Categories