Using curl in php with client certificate and private key in separate files

Question

I need some assistance rewriting this PHP curl code that uses *.pem ( CA cert ), Client cert and private key in one file:

curl_setopt($curl, CURLOPT_URL, $this->url);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_SSLCERT, $this->keystore);
curl_setopt($curl, CURLOPT_CAINFO, $this->keystore);
curl_setopt($curl, CURLOPT_SSLKEYPASSWD, $this->keystorepassword);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

So it could use CA certificate , Client Certificate and Private Key in separate files.

As in this command-line example:

curl -d "var1=value1&var2=value2&..." -G -v --key key.pem --cacert ca.pem --cert client.pem:xxxxxx https://www.somesite.com/page

Answer 1

Here is a PHP script with a literal translation of your command line call:

<?php

  $data = "var1=value1&var2=value2&...";
  $url = "https://www.somesite.com/page";


  $keyFile = "key.pem";
  $caFile = "ca.pem";
  $certFile = "client.pem";
  $certPass = "xxxxxx";

  // Initialise cURL
  $ch = curl_init($actualUrl);

  // The -d option is equivalent to CURLOPT_POSTFIELDS. But...
  // PHP's libcurl interface does not implement the -G flag - instead you would
  // append $data to $url like this:
  $actualUrl = $url.'?'.$data;
  curl_setopt($ch, CURLOPT_URL, $actualUrl);

  // The -v flag only makes sense at the command line, but it can be enabled
  // with CURLOPT_VERBOSE - in this case the information will be written to
  // STDERR, or the file specified by CURLOPT_STDERR. I will ignore this for
  // now, but if you would like a demonstration let me know.

  // The --key option - If your key file has a password, you will need to set
  // this with CURLOPT_SSLKEYPASSWD
  curl_setopt($ch, CURLOPT_SSLKEY, $keyFile);

  // The --cacert option
  curl_setopt($ch, CURLOPT_CAINFO, $caFile);

  // The --cert option
  curl_setopt($ch, CURLOPT_SSLCERT, $certFile);
  curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $certPass);

  /*
    Now we should get an identical request to the one created by your command
    line string, let's have a look at some of the other options you set...
  */

  // CURLOPT_HEADER is disabled by default, there's no need for this unless you
  // enabled it earlier
  //curl_setopt($ch, CURLOPT_HEADER, 0);

  // Your command line string forces a GET request with the -G option, are you
  // trying to POST or GET?
  //curl_setopt($ch, CURLOPT_POST, true);

  // We don't need body data with a GET request
  //curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

  // Since we've gone to all the trouble of supplying CS information, we might
  // as well validate it!
  //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

Answer 2

@DaveRandom, can you explain "key.pem" is this my own ssl public key or my clients public key, "ca.pem" is it certificate authority public key, "client.pem" is it client ssl public key certificate , "certificate password" what is this field??

I also don't know how to create these trust stores .

I have RSA Private key and PUBLIC KEY(CASinged - signed by sectigo/comodo). I also have the client public key Certificate.

I am posting this here as i don't have the 50 reputation.