I am using this code to sign a file :
openssl_pkcs7_sign($in,$out,
cert.crt,
cert.key,
array(),
PKCS7_NOATTR
);
However it still appears as not verified when it is opened.
On the contrary, this openssl command works fine:
openssl smime -sign -in in -out out -signer cert.crt -inkey cert.key -certfile ca-bundle -outform der -nodetach
Why is the PHP code not working ?
OK,
openssl_pkcs7_sign($in,$out,
cert.crt,
cert.key,
array(),
PKCS7_NOATTR,
"/real/path/of/ca/intermeidate/cert/file.pem"
);
Did the trick. The last $extracerts arg uses real path instead of file://
Related
i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
any hints? or, any alternatives to curl? the solution should be commandline based.
I think you have already resolved but I had the same problem. I answer to share my solution.
If you have a .p12 file your approach is right.
First of all, you have to get the cert and the key separated from the p12 file.
As an example, if you have a mycert.p12 file execute
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
Then you have to make the call to your url. For instance, assume that you want to get the WSDL of a specific web service
curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl
If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.
Check if you have a newer curl. Newer versions can handle PKCS12 outright.
Tangentially, quote the password, or individually escape all shell metacharacters.
curl --cert-type P12 --cert cert.p12:'password' https://yoursite.com
bioffes answer is correct.
He was suggesting to do:
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
For some reason that didn't work for me. I was getting:
curl could not open PKCS12 file
I just ended up exporting the p12 file without a password and ended up just using the following format.
curl --cert-type P12 --cert cert.p12 https://yoursite.com
You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and scroll down til you find the cert-type. Mine was like this:
--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.
If this option is used several times, the last one will be used.
(I don't believe cmmd + F works to text not visible in the terminal. So you have to scroll down.
I have the following running code on PHP7.
$command = "openssl smime -verify -inform DER -in ".$path." -noverify -out ".PATH_XML_EXTRACT.$filename_output;
exec( $command, $output, $return_var );
The openssl command creates the file properly. Can I avoid to store the message content to the output file? I want to get the message as a string (for example in the $output variable) and managing the flow in memory (no writing on the disk).
Any suggestions?
My OpenSSL command is not working, which I am running through php's exec() function.
The error that is outputted is "1".
OpenSSL is enabled and working.
Here is the command:
$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
"-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | " .
"$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";
exec($openssl_cmd, $output, $error);
I am running the latest version of XAMPP and running on Windows 10.
Thanks in advance!
EDIT:
Here is the full command when outputted as die($openssl_cmd); in php:
(C:/xampp/apache/bin/openssl.exe smime -sign -signer C:\xampp\[redacted]\paypal\pubcert.pem -inkey C:\xampp\[redacted]\paypal\prvkey.pem -outform der -nodetach -binary <<_EOF_ cmd=_xclick amount=[redacted] item_number=[redacted] discount_rate=0 item_name=[redacted] notify_url=https://www.REDACTED.net/paypal/ipn business=REDACTED cert_id=REDACTED currency_code=USD no_shipping=1 bn=domain.PHP_EWP2 _EOF_ ) | C:/xampp/apache/bin/openssl.exe smime -encrypt -des3 -binary -outform pem C:\xampp\[redacted]\paypal\paypal_cert.pem
EDIT:
I am using https://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php as a guide.
To execute a Linux-style command in Windows, something that uses piping and file redirection, it is possible to run the command using the Windows PowerShell.
For example, in this case, you would execute it via the PowerShell by executing something similar to this:
poewrshell -Command "(C:/xampp/apache/bin/openssl.exe smime -sign -signer C:\xampp\[redacted]\paypal\pubcert.pem -inkey C:\xampp\[redacted]\paypal\prvkey.pem -outform der -nodetach -binary <<_EOF_ cmd=_xclick amount=[redacted] item_number=[redacted] discount_rate=0 item_name=[redacted] notify_url=https://www.REDACTED.net/paypal/ipn business=tomekandres#live.ca cert_id=REDACTED currency_code=USD no_shipping=1 bn=domain.PHP_EWP2 _EOF_ ) | C:/xampp/apache/bin/openssl.exe smime -encrypt -des3 -binary -outform pem C:\xampp\[redacted]\paypal\paypal_cert.pem"
So I have read the PHP manual (HERE) but I'm not sure if it's does exactly what I think it is supposed to do. I need to convert a PFX certificate to a PEM. My question is, does either the above mentioned method or the openssl_pkcs12_export() method do what I need, or does it simply just export the information of the pkcs12 file?
To complete what I need to do, would I need to use the exec() method and use the appropriate openssl command, such as the one listed below:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Unless I am mistaken in your needs... You are just slightly off...
pkcs12 -in certificate.pfx -out certificate.pem -clcerts
You may also need to
pkcs12 -in certificate.pfx -out ca-certificate.pem -cacerts
-clcerts is only for client certificates
-cacerts is for non-client
In command line I can successfully extract all 3 certificates from my p7b file:
openssl pkcs7 -in mscep.p7b -inform der -print_certs -outform PEM -out certfile.pem
Is there a way to do it also in PHP? I tried to search around , but only openssl_pkcs7_.... functions dealt with encryption and decryption.
Basically I need to extract CA root certificate from the chain I get back from MSCEP