I try to make a connection through SoapClient. I need a certificate for this. I received a .pfx certificate. I used the following command to create a .pem file.
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
There is a password in the certificate so I need to enter it before I get the cert.pem file. So far so good, I think.
Now I try to connect to the WSDL service.
$url = "https://test.website.com/webservices/transfer.asmx?WSDL";
$cert = '/path/to/cert.pem';
$passphrase = "12345678";
$soapClient = new SoapClient($url, array('local_cert'=>$cert,'passphrase'=>$passphrase));
I get the following error:
(Warning) SoapClient::SoapClient(): Unable to set private key file `/var/www/vhosts/............./cert.pem'
I think the problem is the certificate. Is the way that I converted the .pfx to a .pem the correct way?
The problem you're running into is that a .pem certificate is always supposed to be an encrypted file. According to the OpenSSL docs for the pkcs12 command when you used -nodes it didn't encrypt anything, rather put each node into plain text, which caused the .pem certificate to be invalid and your SoapClient couldn't parse the invalid file.
To fix this, hopefully you haven't deleted the original cert.pfx, just re-convert it using this line:
openssl pkcs12 -in cert.pfx -out cert.pem -clcerts
and your cert.pem file will be correct.
Today I had this problem with an invalid Cert/Private combination, meaning the cert wasn't belonging to the specified key.
You can verify this problem using:
openssl rsa -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5
key and cert should return the same checksum. If not, somebody has mixed up some files.
The same procedure works for CSRs as well:
# and for a CSR
openssl req -noout -modulus -in server.csr | openssl md5
Related
I generate private.key with:
openssl genrsa -out private.key 2048.
From private key I generate public key with:
openssl rsa -in private.key -pubout -out public.key
With these keys oauth2 server creates authorization JWT
And I need that JWT payload contains issuer (iss).
On which step should I add it? And any ideas how to add it?
I would like to generate a certificate(self-signed at the moment) for an encrypted PDF on the server. What is interesting to me is the workflow on how to to that with TCPDF.
What I did:
1) Generate keys:
openssl req -x509 -nodes -days 365000 -newkey rsa:1024
openssl pkcs12 -export -in tcpdf.crt -out tcpdf.p12
2) Then generate the PDF with the .crt - file
3) Then I started acrobat reader and installed the certificate (tcpdf.p12). I used Document->security settings -> digital id
4) I could import the security settings but still can't open the PDF. Don't know if I am doing it right? What happens that acrobat reader 9.5.4 opens a dialog with input of a password. I give in the password and an error appears -> unknown error -> CRecipientList-218
5) Code I used (basically the same)
$certificate = 'file://../tcpdf.crt';
$info = array(
'Name' => 'TCPDF',
'Location' => 'Office',
'Reason' => 'Testing TCPDF',
'ContactInfo' => 'http://www.tcpdf.org',
);
$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);
$pdf->SetProtection($permissions=array('print', 'copy'), $user_pass='', owner_pass=null, $mode=1, $pubkeys=array(array('c' => 'file://../tcpdf.crt', 'p' => array('print'))));
I combined the following examples:
http://www.tcpdf.org/examples/example_052.phps
http://www.tcpdf.org/examples/example_016.phps
P.S.: I know its a very practical example. Just thought its easier to understand the steps I am doing.
Questions:
Is the workflow in general right on how(!) to approach certificates for a PDF with encryption?
When I generate the .p12 file I have to give in a password for that file which I used later on when imported the certificate into acrobat. I'm asking because I have also the possibility "on generation" to give the password.
If the workflow is right...how do I fix the problem?
The approach is basically correct - but you may have missed some detail in it.
I have been using the certificate in *.crt format without the passphrase (including private and public key) and it works fine.
Also note, that you must have installed OpenSSL extension in PHP.
See the comments for method TCPDF::setSignature() by Nicola Asuni:
* To create self-signed signature: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout tcpdf.crt -out tcpdf.crt
* To export crt to p12: openssl pkcs12 -export -in tcpdf.crt -out tcpdf.p12
* To convert pfx certificate to pem: openssl pkcs12 -in tcpdf.pfx -out tcpdf.crt -nodes
You dont need to install any certificate into Acrobat Reader - generated PDF documents signed with self-signed certificates simply show up as untrusted, but still they can normally open.
I hope you also took a look at the comments ;)
there is a mini how to setup the pdf using provided file
especially:
// To open the document you need to install the private key (tcpdf.p12) on the Acrobat Reader. The password is: 1234
however, you need to provide setProtection with existing key:
'c' => 'file://../tcpdf.crt'
the path you given is just showing where you need to give the path, but the path itself need to be changed
Summary: please read again the comments in the example 016 file, they WILL help to get it working the way you need
I need to encrypt with private key and I'm attempting to do so with the following code:
$content = file_get_contents("file.key");
$plaintext = "14d9df79-8c4c-4380-8444-d31e1fd3f78a";
openssl_private_encrypt($plaintext, $encrypted, $content);
$transfer = base64_encode($encrypted);
echo "text encrypted is:" . $transfer; //encrypted string
I'm getting the error:
openssl_private_encrypt(): key param is not a valid private key in
Do I have to do something to the key file? It is binary.
First, try converting a key into PEM format using openssl:
openssl rsa -inform der -in file.key -outform pem -out filekey.pem
Next, extract the private key from the PEM file using openssl_pkey_get_private
$key = openssl_pkey_get_private(file_get_contents("filekey.pem"));
$plaintext = "14d9df79-8c4c-4380-8444-d31e1fd3f78a";
openssl_private_encrypt($plaintext, $encrypted, $key);
$transfer = base64_encode($encrypted);
echo "text encrypted is:" . $transfer; //encrypted string
I don't know of any x509 file format using a .key extension. There's pem (which is the format you need to load into openssl), DER (files may have .der, .crt or .cer extension) or PKCS#12 (.pfx .p12). It's probably DER or PKCS#12:
openssl pkcs12 -in file.key -out file.pem -nodes
...converts a PKCS#12 to file.pem,
openssl x509 -inform der -in file.key -out file.pem
...converts a DER file. They'll report an error if it's the wrong file format. OTOH you could just use the 'file' command to find out the file type. (this is assuming that you've got a Posix / Linux system - you didn't say).
Or you could just ask the person who gave it to you what format it is.
Solved
I just use the
openssl pkcs8 .....
command
hope this is useful to someone else
I am using TCPDF to sign PDF, but when running the example 52 I got this error:
Warning: openssl_pkcs7_sign() [function.openssl-pkcs7-sign]: error getting
private key in C:\xampp\htdocs\this\tcpdf\tcpdf.php on line 8366
Could you please tell me or guide me where is the problem. I am just running the example without changing anything. I am using xampp.
The problem is with the location from where it tries to access the private key. Instead of '' like in their example use 'file://'.( dirname(FILE)).'./path/to/file'. This worked for me.
I solved it by using:
$certificate = 'file://'.realpath('../tcpdf.crt');
When you create your own certificate use this:
/*
NOTES:
- To create self-signed signature: openssl req -x509 -nodes -days 365000 -newkey rsa:1024 -keyout tcpdf.crt -out tcpdf.crt
- To export crt to p12: openssl pkcs12 -export -in tcpdf.crt -out tcpdf.p12
- To convert pfx certificate to pem: openssl pkcs12 -in tcpdf.pfx -out tcpdf.crt -nodes
*/
Finally, after weeks ago, I found the solution. I just donwloaded the TCPDF 5.9 Version and it works :D if you wanna try, here's the link to download that version
link: https://sourceforge.net/code-snapshots/git/u/u/u/mynetx/tcpdf.git/u-mynetx-tcpdf-5828c0d80580cbad069988e2067ad5e37e1e98e7.zip
I have certificate that can see in browser - signed by VeriSign - G3
But when I try to read with openSSL(or in PHP) like pkcs12 or x509 or pkcs7 - error like:
openssl pkcs12 -in cert.to.test.cer -clcerts -nokeys -out mycert.crt
28685:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
28685:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830:
28685:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=version, Type=PKCS12
What can be done to read parameters of certificate in PHP?
Thanks.
You can try
openssl x509 -in certificate.der -inform der -text -noout
May be it is DER encoded certificate