I need to open remote resources that are signed by a private company's Certificate Authority. Right now, PHP won't open the resources because it doesn't trust the certificate signer.
I know you can do certificates with the stream context object, but I'm looking for a way to give PHP the public key of a new Certificate Authority and have the file()
and similar methods trust remote certificates signed by that authority without having to create a stream context each time .
Is there a way to add a new Certificate Authority to php.ini? I tried adding the CA's public key to /etc/ssl/certs/
, but it doesn't seem to be recognized.
Curl uses a single file with all of the CA's in it. To add a new CA to Curl/PHP, you need to get a complete bundle, add your cert to the bundle, then tell PHP to use the custom bundle.
/etc/ssl/certs/cacert.pem
: curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem
Edit the /etc/ssl/certs/cacert.pem
file, and add your new CA public key to the bottom.
Edit php.ini
and add the line openssl.cafile=/etc/ssl/certs/cacert.pem
to the top (or bottom).
Restart the webserver.
Here is how I did it
1- I downloaded the cacert.pem from https://curl.se/docs/caextract.html
2- I copied the cert to /usr/local/etc/ssl/certs/cacert.pem
3- I added this line to the php.ini openssl.cafile= "/usr/local/etc/ssl/certs/cacert.pem"
and for curl support this line curl.cainfo = "/usr/local/etc/ssl/certs/cacert.pem"
4- restart the server and done.
I figured out following steps:
Find your php.ini
with
php -i | grep "Loaded Configuration File"
Inside php.ini
verify/specify path to the certs
curl.cainfo =/your/path/cacert.pem
openssl.cafile=/your/path/cacert.pem
And the trickiest part:
if you need a custom certificate to be added append it to /your/path/cacert.pem
It looks like this
-----BEGIN CERTIFICATE-----
BLABLABLABLABLABLABLABLABLA
BLABLABLABLABLABLABLABLABLA
-----END CERTIFICATE-----
I didn't have to restart anything in my case (only php script itself) but I guess it depends
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.