如何使用 PHP 创建证书以与 SOAP 客户端连接

Question

Provider has SOAP server in.Net environment and I have to connect to it with PHP.

Given initial paths

$serviceUri = 'https://provider.com/service.svc';
$singleWsdl = 'https://provider.com/service.svc?singlewsdl';

these URLs can only be accessed through browser after selecting my personal certificate (signature) for login.

I have my personal certificate in the form me.pfx and I used the following commands to generate private and public key separately.

$ openssl pkcs12 -in me.pfx -nocerts -nodes -out me.key
$ openssl rsa -in me.key -out me_private.key
$ openssl rsa -in me.key -pubout -out me_public.key
$ openssl pkcs8 -topk8 -inform PEM -in me_private.key -outform PEM -nocrypt

Then I copied the last output, create a new text file me_private_pkcs8.key , and pasted said output in.

Provider gave my user profile full privileges so I should be able to access the WSDL.

Either I used the wrong way to create key pair (from above):

$localCert = "me_public.key";
$localKey  = "me_private_pkcs8.key";

, or I am calling SoapClient the wrong way. I have tried several ways:

$soapClient = new \SoapClient($singleWsdl);

$soapClient = new \SoapClient($singleWsdl, [
    'local_cert' => $localCert,
    'passphrase' => '',
]);

$context = stream_context_create([
    "ssl" => [
        "local_cert" => $localCert,
        "local_pk"   => $localKey,
    ]
]);

$soapClient = new \SoapClient($singleWsdl, ["context" => $context]);

$opts = [
    'ssl' => [
        'ciphers' => 'RC4-SHA',
        'verify_peer' => false,
        'verify_peer_name' => false,
    ]
];
// SOAP 1.2 client
$params = [
    'encoding' => 'UTF-8',
    'verifypeer' => false,
    'verifyhost' => false,
    'soap_version' => SOAP_1_1,
    'trace' => 1,
    'exceptions' => 1,
    "connection_timeout" => 180,
    'stream_context' => stream_context_create($opts),
    'local_cert' => $localCert,
    'passphrase' => '',
];

$soapClient = new \SoapClient($singleWsdl, $params);

$soapClient = new \SoapClient($singleWsdl, [
    'soap_version' => 'SOAP_1_2',
    'location' => $serviceUri,
    'local_cert' => $localCert,
]);

$contextOptions = [
    'ssl' => [
        'local_cert' => $localCert,
        'local_pk' =>  $localKey,
        'SNI_enabled' => true,
        'peer_name' => $serviceUri,
    ]
];

$options = [
    "soap_version" => SOAP_1_2,
    "features" => SOAP_SINGLE_ELEMENT_ARRAYS,
    "stream_context" => stream_context_create($contextOptions),
];

$soapClient = new \SoapClient($singleWsdl, $options);

and they all result in a Fatal Error:

SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://provider.com/service.svc?singlewsdl' : failed to load external entity "https://provider.com/service.svc?singlewsdl" in C:\laragon\www\test-soap\private\test.php:27 Stack trace: #0 C:\laragon\www\test-soap\private\test.php(27): SoapClient->__construct('https://provide...') #1 {main}

Answer 1

Finally figured it out after 3 active days of searching. At least it worked for me.

GitBash

$ cd path/to/certificate/
$ openssl pkcs12 -in personal_certificate.pfx -out public_key.pem -clcerts

First you have to enter YOUR_CERT_PASSWORD once, then DIFFERENT_PASSWORD! twice. The latter will possibly be available to everyone with access to code.

PHP

<?php

$wsdlUrl   = "https://example.com/service.svc?singlewsdl";
$publicKey = "rel/path/to/certificate/public_key.pem";
$password  = "DIFFERENT_PASSWORD!";

$params = [
    'local_cert' => $publicKey,
    'passphrase' => $password,
    'trace' => 1,
    'exceptions' => 0
];

$soapClient = new \SoapClient($wsdlUrl, $params);

var_dump($soapClient->__getFunctions());