10

I need to open remote resources that are signed by a private company's Certificate Authority. Right now, PHP won't open the resources because it doesn't trust the certificate signer.

I know you can do certificates with the stream context object, but I'm looking for a way to give PHP the public key of a new Certificate Authority and have the file() and similar methods trust remote certificates signed by that authority without having to create a stream context each time.

Is there a way to add a new Certificate Authority to php.ini? I tried adding the CA's public key to /etc/ssl/certs/, but it doesn't seem to be recognized.

jophab
  • 5,356
  • 14
  • 41
  • 60
Nick
  • 10,904
  • 10
  • 49
  • 78

3 Answers3

14

Curl uses a single file with all of the CA's in it. To add a new CA to Curl/PHP, you need to get a complete bundle, add your cert to the bundle, then tell PHP to use the custom bundle.

  1. Download the latest bundle from CURL and save it to /etc/ssl/certs/cacert.pem:

curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem

  1. Edit the /etc/ssl/certs/cacert.pem file, and add your new CA public key to the bottom.

  2. Edit php.ini and add the line openssl.cafile=/etc/ssl/certs/cacert.pem to the top (or bottom).

  3. Restart the webserver.

Nick
  • 10,904
  • 10
  • 49
  • 78
  • 1
    The correct address is (now): `curl --remote-name --time-cond cacert.pem https://curl.se/ca/cacert.pem` – Remo May 17 '21 at 06:51
3

Here is how I did it

1- I downloaded the cacert.pem from https://curl.se/docs/caextract.html

2- I copied the cert to /usr/local/etc/ssl/certs/cacert.pem

3- I added this line to the php.ini openssl.cafile= "/usr/local/etc/ssl/certs/cacert.pem" and for curl support this line curl.cainfo = "/usr/local/etc/ssl/certs/cacert.pem"

4- restart the server and done.

jerryurenaa
  • 3,863
  • 1
  • 27
  • 17
  • Thanks, this worked for me. In some cases, you'll have `cert.pem` instead of `cacert.pem`. Same steps here should work. – Czar Pino Apr 01 '22 at 21:56
1

I figured out following steps:

Find your php.ini with

php -i | grep "Loaded Configuration File"

Inside php.ini verify/specify path to the certs

curl.cainfo =/your/path/cacert.pem
openssl.cafile=/your/path/cacert.pem

And the trickiest part:

if you need a custom certificate to be added append it to /your/path/cacert.pem It looks like this

-----BEGIN CERTIFICATE-----
BLABLABLABLABLABLABLABLABLA
BLABLABLABLABLABLABLABLABLA
-----END CERTIFICATE-----

I didn't have to restart anything in my case (only php script itself) but I guess it depends

Hebe
  • 661
  • 1
  • 7
  • 13