0

I have a question about building a authentication system with SSL certificates. My Idea is to store the data in the database(I know how to do that) and when the user gives the certificate the system to check the cert values and to know where to put the user. But there are some things that are not quite clear(I might sound nooby, but don't judge me)

  1. How to make the certificate with PHP?
  2. How to make the system to request a specific details from the client?(As is on StartSSL)
  3. Do I have to sign the private certificate or something?

P.S: I am using HostGator Business Plan if this makes any difference. I have requested them to issue a private ssl certificate.

Fluffeh
  • 33,228
  • 16
  • 67
  • 80
D. Dimitrov
  • 89
  • 10

2 Answers2

1

I have never used StartSSL however many individuals and companies alike use SSL APIs and auth now, like the new(ish) Facebook sdk.

Note that self signed certificates are not supported as a valid security mechanism by many browsers and other software.

You cannot make SSL certificates in PHP, instead you must make then using a tool like OpenSSL. Here is a brief tutorial I found on Google: http://www.akadia.com/services/ssh_test_certificate.html .

SSL is mainly designed to make the transference of data across the line a little more secure and when reading in connections through PHP you would validate the certificate to see if it matches the one it is supposed to (http://stackoverflow.com/questions/3081042/how-to-get-ssl-certificate-info-with-curl-in-php) much like how a browser downloads a sites SSL cert and then uses that to create a secure connection. I wouldn't imagine you would have a certificate per user.

After this all your data goes over HTTPS rather than HTTP allowing for SSL auth.

Depending on the SSL auth system, if it is an API then your cURL request would be sent over HTTPS rather than HTTP.

If you are making this for a login page on a website then it is a lot simpler than I have said above (well in theory, there are still a lot of thing you can mess up). If you are doing this then you would simply add the SSL cert to your server and then add it to your server config (another quick tutorial for Apache from Google: http://www.digicert.com/ssl-certificate-installation-apache.htm ) and then literally proceed as you normally would redirecting the user to a https of the login page and the login processing page (making sure you have a vhost for 443 if your in Apache).

Edit: Openssl does have a PHP API as I just remembered so I was wrong there.

This is how I see SSL auth going down.

Sammaye
  • 43,242
  • 7
  • 104
  • 146
  • What if i sign the certificate with a valid CA? openssl_csr_sign(); requires a CA if I have one and I have =D wont the certificate be valid ? – D. Dimitrov Jul 31 '12 at 08:43
  • @D.Dimitrov Indeed if it signed by a valid provider it will be counted as valid, it is only when you self sign it that problems occur. – Sammaye Jul 31 '12 at 08:47
  • @D.Dimitrov so to answer `Do I have to sign the private certificate or something?` No, you would get your CA to sign it. – Sammaye Jul 31 '12 at 08:48
  • So I have to sign them with the CA.cert of the issuer of the site certificate or it doesn't matter as long as it is signed with a valid CA ? – D. Dimitrov Jul 31 '12 at 08:56
  • @D.Dimitrov Don't matter so long as it is signed by some one who is authorised so be sure to shop around for a cheaper deal if you think your hosting provider (the one who activated the certs) is ripping you off. Though their activation of the cert might include signing, so check that with them, you may have hit two birds with one stone. – Sammaye Jul 31 '12 at 09:00
  • @D.Dimitrov Oh yea you can make SSL certs with PHP, OPenssl has a PHP API as I have just remembered. But you already knew that cos you showed one the functions :) – Sammaye Jul 31 '12 at 09:08
  • @D.Dimitrov Didn't you get a keyfile when you made up the first part of your SSL cert? There is always two stages to making an SSL cert, first you key the key then the CSR that you send to the signer then they give you the cert itself and its chain. – Sammaye Jul 31 '12 at 18:39
  • OK I am thinking to sign my PKIs with the cert and key of the website but my opera tells me to install the certification chain. I want to make it absolutely valid so I need option to sign it either with some kind of CA or any way to sign it with the site cert and it to be trusted. i tough to sign it with StartSSL's CA but don't have their key so I need options =D or this is as much as I can go(for free that is) ? – D. Dimitrov Aug 02 '12 at 07:45
  • @D.Dimitrov Heh SSL CA signing is never free :P and CAs keep the keys they actually use for signing very secret 99% of the time. Depending on the type of cert though you might be able to get the chain through StartSSL's site, basically it is a descriptor file that tells the browser what your cert actually is and that it is not a forged type of cert (it's like signing a letter and then putting it in an official envelope) so maybe it's just a case of getting the chain from StartSSL's site? – Sammaye Aug 02 '12 at 08:19
  • so you want to tell me to get a domain validated cert from start ssl and after that sign the PKIs with that cert ? – D. Dimitrov Aug 02 '12 at 08:42
  • @D.Dimitrov Normally a cert does come with a chain yes. It is basically just a file that says the cert is what it is, this allows browsers like Opera to not moan at you for not having it. – Sammaye Aug 02 '12 at 09:09
  • @D.Dimitrov But it does not need a whole new cert or a domain validated cert, it is just a counter part to the cert – Sammaye Aug 02 '12 at 09:12
  • OK Ideas I have the CERT, KEY and CSR but it doesnt work when I thry to put the CSR as the csr for the key how should I modify it =D @Sammaye – D. Dimitrov Aug 02 '12 at 14:00
  • @D.Dimitrov You don't the CSR becomes useless once you have the cert. Just add the cert and the chain to Apache (or whatever server your using) and the key file and watch the magic happen. – Sammaye Aug 02 '12 at 14:12
  • @D.Dimitrov Though don't delete the CSR incase something gets fudged up when you apply the cert. – Sammaye Aug 02 '12 at 14:13
0

1) Method for create new SSL certificate with PHP^

    $dn = array(
        "countryName" => 'Country',
        "organizationName" => 'Org',
        "commonName" => 'Common name',
        "emailAddress" => 'email@email.com',
    );

    $configArgs = array(
        'digest_alg' => 'SHA1',
    );

    $clientKey = openssl_pkey_new();
    $csr = openssl_csr_new($dn, $clientKey, $configArgs);

    $password = trim(base64_encode(openssl_random_pseudo_bytes(8)), '/=');

    $cert = openssl_csr_sign(
        $csr,
        'file:///etc/ssl/ca/ca.pem',
        'file:///etc/ssl/ca/ca.pem',
        1095,
        $configArgs,
        $serial
    );

    openssl_pkcs12_export($cert, $clientCertPkcs12, $clientKey, $password);
    openssl_x509_free($cert);
    $sslData = array(
        'serial' => $serial, // random serial
        'sslkey' => $password,
        'created_at' => time(),
        'sslpfx' => $clientCertPkcs12
    );

    openssl_pkey_free($clientKey);
Dmitrii Korotovskii
  • 586
  • 4
  • 19