如何使用phpseclib设置extKeyUsage?

时间:2013-06-27 23:48:37

标签: php x509 phpseclib

我想将SSL服务器和SSL客户端标志添加到我使用phpseclib签名的证书中,我该怎么做?我找到了setExtension函数,但我不知道如何使用它。感谢任何帮助。谢谢。

我尝试了以下内容并且它不起作用(主要来自phpseclib示例):


// create private key for CA cert
$CAPrivKey = new Crypt_RSA();
extract($CAPrivKey->createKey());
$CAPrivKey->loadKey($privatekey);

$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();

echo "the private key for the CA cert (can be discarded):\r\n\r\n";
echo $privatekey;
echo "\r\n\r\n";


// create a self-signed cert that'll serve as the CA
$subject = new File_X509();
$subject->setPublicKey($pubKey);
$subject->setDNProp('id-at-organizationName', 'phpseclib demo CA');

$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject = $subject->getDN());

$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber(chr(1));
$x509->makeCA();

$result = $x509->sign($issuer, $subject);
echo "the CA cert to be imported into the browser is as follows:\r\n\r\n";
echo $x509->saveX509($result);
echo "\r\n\r\n";


// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);

$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();

$subject = new File_X509();
$subject->setPublicKey($pubKey);
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
$subject->setDomain('www.google.com');

$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject);

$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber(chr(1));
$x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));

$result = $x509->sign($issuer, $subject);

echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";

1 个答案:

答案 0 :(得分:1)

您目前要做的是首先创建X.509证书,在创建X.509证书后添加扩展,然后重新签名。例如

$result = $x509->sign($issuer, $subject);之后执行此操作:

$x509->loadX509($result);

$x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));

$result = $x509->sign($issuer, $x509);

即。您签署证书,加载证书,设置扩展名,然后重新签名。

不幸的是,这不是一个优雅的解决方案我的理解是,API会在某些时候更新,以便您无需先获得证书即可更新扩展程序,但尚未实现。

相关问题
最新问题