CODEWITHSUNDEEP
phpcryptographycertificateopenssl
chacham15
chacham15

Reputation: 14251

How do I create an X509 Certificate in PHP without the clients private key?

I have a server which has its own cert and a client who is trying to have the server generate a new cert for him (and sign it ofc). The client has given the server his public key and the server is supposed to create a cert and sign it. In PHP, how do I have the server create the cert with only the clients public key? openssl_csr_new seems to want the private key.

Thanks!

Upvotes: 1

Views: 5035

Answers (1)

neubert
neubert

Reputation: 16802

you can do this with the latest SVN of phpseclib, a pure PHP X.509 parser. eg.

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$privKey = new Crypt_RSA();
$privKey->loadKey('-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----');

$pubKey = new Crypt_RSA();
$pubKey->loadKey('-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----');
$pubKey->setPublicKey();

$subject = new File_X509();
$subject->setPublicKey($pubKey);
$subject->setDNProp('id-at-organizationName', 'whatever');

$issuer = new File_X509();
// load the DN from an existing X.509 cert
$issuer->loadX509('-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----');
$issuer->setPrivateKey($privKey);

$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber(1);

$result = $x509->sign($issuer, $subject);
echo $x509->saveX509($result);

You'll need your private key and the subjects public key. In this example, I'm getting the issuing DN from a X.509 previously signed by with your private key but you might want to call setDN() instead?

Upvotes: 3

Related Questions