使用证书创建 PHP SOAP 请求

Question

I am attempting to create a PHP SOAP connection to a .NET Web Service that has a self-signed certificate in order to lock down the service for communication over HTTPS. I continue to get error's and I'm not sure if it has something to do with the way I create the certificate, my Apache/PHP setup, the way I attempt to establish the SOAP request or something else. If anyone has any pointers they will be greatly appreciated. Thanks in advance.

Certificate Generation

This is how I am creating the certificate.

1. Create the trusted root private key:

   genrsa -out ca_authority_prv.pem 2048

2. Create the trusted root authority cert:

   req -new -key ca_authority_prv.pem -x509 -out ca_authority_cert.pem

3. Make the cert authority trusted:

   x509 -in ca_authority_cert.pem -out ca_authority_trust.pem -trustout

4. Exit OpenSSL and create a serial file:

   echo 1000 > ca_authority.srl

5. Create the client private key:

   genrsa -out Client_prv.pem 2048

6. Create the client request:

   req -new -key Client_prv.pem -out Client_req.pem

7. Sign the client request with the CA:

   x509 -req -CA ca_authority_trust.pem -CAserial ca_authority.srl -CAkey ca_authority_prv.pem -in Client_req.pem -out Client_cert.pem

8. Make the pfx for the client cert

   pkcs12 -export -in Client_cert.pem -inkey Client_prv.pem -out Client_cert.pfx

IIS Setup

Once this certificate is created I follow the same steps for a server certificate and:

1. Add the trusted root CA to the Machine Trusted Root Store

2. Add the server certificate to the machine store

3. Setup IIS to use the server certificate and require client certificates

PHP SOAP Request

This is the code I am using to establish the PHP SOAP request (below is the error):

$wsdl = "https://localhost/MyService/MyService.asmx";
$local_cert = "C:\\Certs\client_cert.pem";
$passphrase = "openSaysMe";

    $soapClient = new SoapClient($wsdl, array('local_cert'=>  $local_cert,'passphrase'=>$passphrase));
    $theResponse = $soapClient->test();

ERROR

Warning: SoapClient::SoapClient() [soapclient.soapclient]: Unable to set private key file `C:\Certs\client_cert.pem' in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: failed to create an SSL handle in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: Failed to enable crypto in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient(https://localhost/MyService/MyService.asmx) [soapclient.soapclient]: failed to open stream: operation failed in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "https://localhost/MyService/MyService.asmx" in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost/MyService/MyService.asmx'

ERROR LOG

PHP Warning:  SoapClient::SoapClient() [<a href='soapclient.soapclient'>soapclient.soapclient</a>]: failed to create an SSL handle in C:\\Program Files\\Apache Group\\Apache2\\htdocs\\soapWithAuth.php on line 54

Answer 1

I managed to get this working but there are some oddities that I wonder about. Specifically the need to combine the client certificate and private key into a single file to send along with the Soap Request as well as the certificate pass-phrase was breaking the request although the PHP Soap documentation explicitly includes it as an option. If anyone has input on how to improve this I would love to hear it.

1) Create the OpenSsl client and server certificates and sign them with the certificate authority. When creating the certificate do not assign a passphrase to them, just hit the enter button at that point.

2) Import the server certificate authority file into the Machine certificate store under the trusted root. You can get to this by using the MMC command at the command prompt and then adding the Certificates snap in.

3) Import the Server certificate into the Machine store Personal certificate store

4) Import the client certificate in the local account Personal store. You can do this by typing certmgr.msc at the command prompt.

5) Make sure to have Apache with a SSL version of PHP running. If you already had a non-php version of PHP installed you can follow these steps to configure your Apache server to run using SSL.

Inside httpd.conff

a) Remove the comment ‘#’ at line : LoadModule ssl_module modules/mod_ssl.so

b) Remove the comment ‘#’ at the line inside `<IfModule ssl_module>`:  Include /extra/httpd-ssl.conf

   and move this line after the block `<IfModule ssl_module>…. </IfModule>`  

Inside php.ini

c) Remove the comment ‘;’ at the line which says: extension=php_openssl.dll

6) Configure IIS to use a certificate and SSL using the following steps:

a) Right click the 'Default Website' node choose 'Properties'

b) 'Directory Security' tab 'Server Certificate' button. Follow the wizard to select the certificate you imported into the store then complete the wizard and return to the 'Directory Security' tab.

c) Under 'Secure Communications' select the 'Edit' button. 

d) Check the 'Require Secure Channel (SSL) checkbox.

7) Creating the PHP SOAP request (the test() method should be a valid method in your Web service):

$wsdl = "https://localhost/MyService/myservices.asmx?wsdl";
$local_cert = "C:\\SoapCerts\ClientKeyAndCer.pem";

$soapClient = new SoapClient($wsdl, array('local_cert' => $local_cert));

$theResponse = $soapClient->test();

8) Place this file into your Apache directory. By Default: 'C:\\Program Files\\Apache Group\\Apache2\\htdocs'

9) You will need access to the client certificate. In the steps you took to produce the client and server certificates you also produced the private key files. Open the client_prv.pem (the client private key file) and copy the contents into a new document with a text editor. It is probably safer to use something like Textpad that will hopefully not add a bunch of special characters, certificate parsers are very picky. Immediately after the private key part place the contents of the client certificate (client_cer.pem) so that the resulting file is an un-escaped copy of the client private key and client

certificate. Save the resulting file to a directory you can get to from the php file. In the example above the resulting file is the

'C:\\SoapCerts\\ClientKeyAndCer.pem' file.

9) Navigate to localhost/nameOfYourFile.php. You should see a successful connection to the service with a response matching the expected results from your

Web service method.

Answer 2

A side note: there is a way to make successful SOAP request and keep the private key and certificate file separated. To do this, you have to create a stream context and pass that as the context option:

  <?php

  $wsdl = "https://localhost/MyService/MyService.asmx";
  $context = stream_context_create(
    array(
     "ssl" => array(
     "local_cert" => "C:\\Certs\client_cert.pem",
     "local_pk"   => "/path/to/private/key"
      )
    )
  );

   $client = new \SoapClient($wsdl, array("context" => $context));

Answer 3

GitBash

$ cd path/to/certificate/
$ openssl pkcs12 -in personal_certificate.pfx -out public_key.pem -clcerts

First you have to enter YOUR_CERT_PASSWORD once, then DIFFERENT_PASSWORD! twice. The latter will possibly be available to everyone with access to code.

PHP

<?php

$wsdlUrl   = "https://example.com/service.svc?singlewsdl";
$publicKey = "rel/path/to/certificate/public_key.pem";
$password  = "DIFFERENT_PASSWORD!";

$params = [
    'local_cert' => $publicKey,
    'passphrase' => $password,
    'trace' => 1,
    'exceptions' => 0
];

$soapClient = new \SoapClient($wsdlUrl, $params);

var_dump($soapClient->__getFunctions());
var_dump($soapClient->__getTypes());