使用证书创建 PHP SOAP 请求 [英] Creating a PHP SOAP request with a certificate
问题描述
我正在尝试创建一个到具有自签名证书的 .NET Web 服务的 PHP SOAP 连接,以便锁定该服务以通过 HTTPS 进行通信.我继续遇到错误,我不确定它是否与我创建证书的方式、我的 Apache/PHP 设置、我尝试建立 SOAP 请求的方式或其他方式有关.如果有人有任何指示,他们将不胜感激.提前致谢.
I am attempting to create a PHP SOAP connection to a .NET Web Service that has a self-signed certificate in order to lock down the service for communication over HTTPS. I continue to get error's and I'm not sure if it has something to do with the way I create the certificate, my Apache/PHP setup, the way I attempt to establish the SOAP request or something else. If anyone has any pointers they will be greatly appreciated. Thanks in advance.
这就是我创建证书的方式.
This is how I am creating the certificate.
创建受信任的根私钥:
Create the trusted root private key:
genrsa -out ca_authority_prv.pem 2048
genrsa -out ca_authority_prv.pem 2048
创建受信任的根授权证书:
Create the trusted root authority cert:
req -new -key ca_authority_prv.pem -x509 -out ca_authority_cert.pem
req -new -key ca_authority_prv.pem -x509 -out ca_authority_cert.pem
使证书颁发机构受信任:
Make the cert authority trusted:
x509 -in ca_authority_cert.pem -out ca_authority_trust.pem -trustout
x509 -in ca_authority_cert.pem -out ca_authority_trust.pem -trustout
退出 OpenSSL 并创建一个串行文件:
Exit OpenSSL and create a serial file:
echo 1000 > ca_authority.srl
echo 1000 > ca_authority.srl
创建客户端私钥:
Create the client private key:
genrsa -out Client_prv.pem 2048
genrsa -out Client_prv.pem 2048
创建客户端请求:
Create the client request:
req -new -key Client_prv.pem -out Client_req.pem
req -new -key Client_prv.pem -out Client_req.pem
使用 CA 签署客户端请求:
Sign the client request with the CA:
x509 -req -CA ca_authority_trust.pem -CAserial ca_authority.srl -CAkey ca_authority_prv.pem -in Client_req.pem -out Client_cert.pem
x509 -req -CA ca_authority_trust.pem -CAserial ca_authority.srl -CAkey ca_authority_prv.pem -in Client_req.pem -out Client_cert.pem
为客户端证书制作 pfx
Make the pfx for the client cert
pkcs12 -export -in Client_cert.pem -inkey Client_prv.pem -out Client_cert.pfx
pkcs12 -export -in Client_cert.pem -inkey Client_prv.pem -out Client_cert.pfx
IIS 设置
创建此证书后,我对服务器证书执行相同的步骤,并且:
IIS Setup
Once this certificate is created I follow the same steps for a server certificate and:
将受信任的根 CA 添加到机器受信任的根存储
Add the trusted root CA to the Machine Trusted Root Store
将服务器证书添加到机器存储区
Add the server certificate to the machine store
设置 IIS 以使用服务器证书并需要客户端证书
Setup IIS to use the server certificate and require client certificates
PHP SOAP 请求
这是我用来建立 PHP SOAP 请求的代码(以下是错误):
PHP SOAP Request
This is the code I am using to establish the PHP SOAP request (below is the error):
$wsdl = "https://localhost/MyService/MyService.asmx";
$local_cert = "C:\Certsclient_cert.pem";
$passphrase = "openSaysMe";
$soapClient = new SoapClient($wsdl, array('local_cert'=> $local_cert,'passphrase'=>$passphrase));
$theResponse = $soapClient->test();
错误
Warning: SoapClient::SoapClient() [soapclient.soapclient]: Unable to set private key file `C:Certsclient_cert.pem' in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53
Warning: SoapClient::SoapClient() [soapclient.soapclient]: failed to create an SSL handle in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53
Warning: SoapClient::SoapClient() [soapclient.soapclient]: Failed to enable crypto in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53
Warning: SoapClient::SoapClient(https://localhost/MyService/MyService.asmx) [soapclient.soapclient]: failed to open stream: operation failed in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53
Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "https://localhost/MyService/MyService.asmx" in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53
Error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost/MyService/MyService.asmx'
错误日志
PHP Warning: SoapClient::SoapClient() [<a href='soapclient.soapclient'>soapclient.soapclient</a>]: failed to create an SSL handle in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 54
推荐答案
我设法让它工作了,但我想知道一些奇怪的地方.特别是需要将客户端证书和私钥组合到一个文件中以与 Soap 请求以及证书密码短语一起发送,这破坏了请求,尽管 PHP Soap 文档明确将其作为一个选项包含在内.如果有人对如何改进这一点有意见,我很乐意听到.
I managed to get this working but there are some oddities that I wonder about. Specifically the need to combine the client certificate and private key into a single file to send along with the Soap Request as well as the certificate pass-phrase was breaking the request although the PHP Soap documentation explicitly includes it as an option. If anyone has input on how to improve this I would love to hear it.
1) 创建 OpenSsl 客户端和服务器证书,并使用证书颁发机构对其进行签名.创建证书时不要为它们分配密码,只需在此时按下 Enter 按钮即可.
1) Create the OpenSsl client and server certificates and sign them with the certificate authority. When creating the certificate do not assign a passphrase to them, just hit the enter button at that point.
2) 将服务器证书颁发机构文件导入受信任根下的 Machine 证书库.您可以通过在命令提示符下使用 MMC 命令然后添加证书管理单元来实现这一点.
2) Import the server certificate authority file into the Machine certificate store under the trusted root. You can get to this by using the MMC command at the command prompt and then adding the Certificates snap in.
3) 将服务器证书导入到机器存储个人证书存储中
3) Import the Server certificate into the Machine store Personal certificate store
4) 在本地账户个人存储中导入客户端证书.您可以通过在命令提示符下键入 certmgr.msc 来执行此操作.
4) Import the client certificate in the local account Personal store. You can do this by typing certmgr.msc at the command prompt.
5) 确保运行带有 SSL 版本的 PHP 的 Apache.如果您已经安装了非 php 版本的 PHP,则可以按照以下步骤将 Apache 服务器配置为使用 SSL 运行.
5) Make sure to have Apache with a SSL version of PHP running. If you already had a non-php version of PHP installed you can follow these steps to configure your Apache server to run using SSL.
内部httpd.conff
a) Remove the comment ‘#’ at line : LoadModule ssl_module modules/mod_ssl.so
b) Remove the comment ‘#’ at the line inside `<IfModule ssl_module>`: Include /extra/httpd-ssl.conf
and move this line after the block `<IfModule ssl_module>…. </IfModule>`
在php.ini
c) Remove the comment ‘;’ at the line which says: extension=php_openssl.dll
6) 使用以下步骤配置 IIS 以使用证书和 SSL:
6) Configure IIS to use a certificate and SSL using the following steps:
a) Right click the 'Default Website' node choose 'Properties'
b) 'Directory Security' tab 'Server Certificate' button. Follow the wizard to select the certificate you imported into the store then complete the wizard and return to the 'Directory Security' tab.
c) Under 'Secure Communications' select the 'Edit' button.
d) Check the 'Require Secure Channel (SSL) checkbox.
7) 创建 PHP SOAP 请求(test() 方法应该是您的 Web 服务中的有效方法):
7) Creating the PHP SOAP request (the test() method should be a valid method in your Web service):
$wsdl = "https://localhost/MyService/myservices.asmx?wsdl";
$local_cert = "C:\SoapCertsClientKeyAndCer.pem";
$soapClient = new SoapClient($wsdl, array('local_cert' => $local_cert));
$theResponse = $soapClient->test();
8) 将此文件放入您的 Apache 目录中.默认:'C:Program FilesApache GroupApache2htdocs'
8) Place this file into your Apache directory. By Default: 'C:Program FilesApache GroupApache2htdocs'
9) 您将需要访问客户端证书.在您生成客户端和服务器证书的步骤中,您还生成了私钥文件.打开 client_prv.pem(客户端私钥文件)并使用文本编辑器将内容复制到新文档中.使用像 Textpad 这样的东西可能更安全,它希望不会添加一堆特殊字符,证书解析器非常挑剔.在私钥部分之后立即放置客户端证书(client_cer.pem)的内容,以便生成的文件是客户端私钥和客户端的未转义副本
9) You will need access to the client certificate. In the steps you took to produce the client and server certificates you also produced the private key files. Open the client_prv.pem (the client private key file) and copy the contents into a new document with a text editor. It is probably safer to use something like Textpad that will hopefully not add a bunch of special characters, certificate parsers are very picky. Immediately after the private key part place the contents of the client certificate (client_cer.pem) so that the resulting file is an un-escaped copy of the client private key and client
证书.将生成的文件保存到您可以从 php 文件访问的目录中.在上面的例子中,结果文件是
certificate. Save the resulting file to a directory you can get to from the php file. In the example above the resulting file is the
'C:SoapCertsClientKeyAndCer.pem' 文件.
'C:SoapCertsClientKeyAndCer.pem' file.
9) 导航到 localhost/nameOfYourFile.php.您应该会看到与服务的成功连接,其响应与您的
9) Navigate to localhost/nameOfYourFile.php. You should see a successful connection to the service with a response matching the expected results from your
Web 服务方法.
这篇关于使用证书创建 PHP SOAP 请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
