1

I have created a PHP script that authenticates automatically into a website that needs a client certificate, using CURL.

The certificate is always on my apache web-server, however it is accessible by typing the link of the certificate. Ex: www.testdomain.com/cert.cer (You can download it typing the link).

This kind of certificate must be private and not accessible just by typing the link. It is just needed to make the authentication, so that the PHP script can perform an action.

I am using CURL, PHP and Apache2 Server. How can I block the CER certificate, so that only the script can access it? I have already tried to edit permissions, 770 (No Anonymous users), but then is neither accessible by the script.

Please help me! Any suggestion would be appreciated.

Ciro
  • 11
  • 3
  • 1
    Put it somewhere outside the web root. – Mike Jun 02 '16 at 22:00
  • As Mike is saying, php can access files outside of the document root where apache serves files. This will prevent apache from seeing/serving the file, but php will still be able to send it over for authentication. You would just need to make sure to use the full path when pointing CURL at the file. – Jonathan Kuhn Jun 02 '16 at 22:03
  • While not an *exact* duplicate, it's the same principle as http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php – Mike Jun 02 '16 at 22:04

1 Answers1

0

Yes, it works! I have just used the full path.

curl_setopt($ch, CURLOPT_SSLCERT, "/home/ubuntu/cert.cer");
curl_setopt($ch, CURLOPT_SSLKEY, "/home/ubuntu/cert.key");

I didn't think about it, and in fact php can access all the server. Thank you

Ciro
  • 11
  • 3