让 OpenSSL ca.config 文件与 PHP 一起工作?

让 OpenSSL ca.config 文件与 PHP 一起工作?

我搜索了很多,但找不到答案。我在这里发布这个,因为它看起来更像是 OpenSSL 问题而不是 PHP 问题,尽管我可以使用此 CA 配置从命令行创建证书,所以 PHP 对此有些不满。

在 PHP 中调用时openssl_pkey_new(),出现错误:

Error loading request_extensions_section section v3_req of /path/to/ca.config

openssl_pkey_new()我正在通过配置数组传递 ca.config 文件的路径,然后 PHP 正在打开该文件。

ca.config 文件如下所示:

[ ca ]
default_ca = MyClientCA

[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ MyClientCA ]
dir = /site/path/ssl/ca
new_certs_dir = $dir
unique_subject = no
certificate = $dir/MyClientCA.public
database = $dir/certindex
private_key = $dir/MyClientCA.key
serial = $dir/MyClientCA.srl
default_days = 3650
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[alt_names]
DNS.0 = Sparkling Intermidiate CA 1
DNS.1 = Sparkling CA Intermidiate 1

[crl_section]
URI.0 = http://pki.sparklingca.com/SparklingRoot.crl
URI.1 = http://pki.backup.com/SparklingRoot.crl

[ocsp_section]
caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt
caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt
OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
OCSP;URI.1 = http://pki.backup.com/ocsp/

不幸的是,这个错误error loading request_extensions_section section v3_req不是很有用。

request_extensions文件中没有这个部分。有一个x509_extensions指向的指令myca_extensions,但似乎没有任何问题。

也没有v3_req部分。有一个v3_ca部分,但我再说一遍,没有发现任何问题。

如何才能获得有关配置文件错误的更多详细信息?

更新

我尝试过很多方法。

我尝试从系统默认的 openssl.conf 复制文件,但这只会将错误更改为:

error:0E06D06C:configuration file routines:NCONF_get_string:no value

网上有很多人询问该错误,但没有人提供任何有用的答复。

我切换到基本配置:

[ ca ]
default_ca = ClientCA

[ ClientCA ]
dir = /path/var/ssl
new_certs_dir = $dir/pk12
unique_subject = no
certificate = $dir/ca/ClientCA.public
database = $dir/ca/certindex
private_key = $dir/ca/ClientCA.key
serial = $dir/ca/ClientCA.srl
default_days = 3650
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

但同样的错误:

error:0E06D06C:configuration file routines:NCONF_get_string:no value

配置可以很好地从命令行创建证书。

相关内容