使用证书创建PHP SOAP请求 [英] Creating a PHP SOAP request with a certificate

问题描述

我正在尝试创建一个到具有自签名证书的.NET Web服务的PHP SOAP连接，以便锁定通过HTTPS进行通信的服务。我继续得到错误，我不确定它是否与我创建证书的方式，我的Apache / PHP设置，我尝试建立SOAP请求的方式或其他方面有关。如果有人有任何指示，他们将不胜感激。提前致谢。

I am attempting to create a PHP SOAP connection to a .NET Web Service that has a self-signed certificate in order to lock down the service for communication over HTTPS. I continue to get error's and I'm not sure if it has something to do with the way I create the certificate, my Apache/PHP setup, the way I attempt to establish the SOAP request or something else. If anyone has any pointers they will be greatly appreciated. Thanks in advance.

这就是我创建证书的方式。

This is how I am creating the certificate.

1. 创建受信任的根私钥：

1. Create the trusted root private key:

genrsa -out ca_authority_prv.pem 2048

genrsa -out ca_authority_prv.pem 2048

创建受信任的根权限证书：

Create the trusted root authority cert:

req -new -key ca_authority_prv.pem -x509 -out ca_authority_cert.pem

req -new -key ca_authority_prv.pem -x509 -out ca_authority_cert.pem

使证书颁发机构信任：

Make the cert authority trusted:

x509 -in ca_authority_cert.pem -out ca_authority_trust.pem -trustout

x509 -in ca_authority_cert.pem -out ca_authority_trust.pem -trustout

退出OpenSSL并创建一个串行文件：

Exit OpenSSL and create a serial file:

echo 1000> ca_authority.srl

echo 1000 > ca_authority.srl

创建客户私钥：

Create the client private key:

genrsa -out Client_prv.pem 2048

genrsa -out Client_prv.pem 2048

创建客户端请求：

Create the client request:

req -new -key Client_prv.pem -out Client_req.pem

req -new -key Client_prv.pem -out Client_req.pem

与CA签署客户请求：

Sign the client request with the CA:

x509 -req -CA ca_authority_trust.pem -CAserial ca_authority.srl -CAkey ca_authority_prv。 pem -in Client_req.pem -out Client_cert.pem

x509 -req -CA ca_authority_trust.pem -CAserial ca_authority.srl -CAkey ca_authority_prv.pem -in Client_req.pem -out Client_cert.pem

为客户端证书制作pfx

Make the pfx for the client cert

pkcs12 -export -in Client_cert.pem -inkey Client_prv.pem -out Client_cert.pfx

pkcs12 -export -in Client_cert.pem -inkey Client_prv.pem -out Client_cert.pfx

IIS设置

创建此证书后，我按照相同的步骤获取服务器证书和：

IIS Setup

Once this certificate is created I follow the same steps for a server certificate and:

1. 将受信任的根CA添加到计算机受信任的根存储

1. Add the trusted root CA to the Machine Trusted Root Store

将服务器证书添加到计算机商店

Add the server certificate to the machine store

设置IIS以使用服务器证书并要求客户端证书

Setup IIS to use the server certificate and require client certificates

PHP SOAP请求

这是我用来建立PHP SOAP请求的代码（下面是错误）：

PHP SOAP Request

This is the code I am using to establish the PHP SOAP request (below is the error):

$wsdl = "https://localhost/MyService/MyService.asmx";
$local_cert = "C:\\Certs\client_cert.pem";
$passphrase = "openSaysMe";

    $soapClient = new SoapClient($wsdl, array('local_cert'=>  $local_cert,'passphrase'=>$passphrase));
    $theResponse = $soapClient->test();

错误

ERROR

Warning: SoapClient::SoapClient() [soapclient.soapclient]: Unable to set private key file `C:\Certs\client_cert.pem' in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: failed to create an SSL handle in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: Failed to enable crypto in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient(https://localhost/MyService/MyService.asmx) [soapclient.soapclient]: failed to open stream: operation failed in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "https://localhost/MyService/MyService.asmx" in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost/MyService/MyService.asmx'

错误日志

ERROR LOG

PHP Warning:  SoapClient::SoapClient() [<a href='soapclient.soapclient'>soapclient.soapclient</a>]: failed to create an SSL handle in C:\\Program Files\\Apache Group\\Apache2\\htdocs\\soapWithAuth.php on line 54

推荐答案

我设法让这个工作，但有一些我想知道的奇怪。特别是需要将客户端证书和私钥组合到单个文件中以与Soap请求以及证书密码短语一起发送，这打破了请求，尽管PHP Soap文档明确地将其作为选项包含在内。如果有人有关于如何改进这一点的意见，我很乐意听到它。

I managed to get this working but there are some oddities that I wonder about. Specifically the need to combine the client certificate and private key into a single file to send along with the Soap Request as well as the certificate pass-phrase was breaking the request although the PHP Soap documentation explicitly includes it as an option. If anyone has input on how to improve this I would love to hear it.

1）创建OpenSsl客户端和服务器证书并使用证书颁发机构签名。创建证书时不要为它们分配密码，只需在该点按Enter键即可。

1) Create the OpenSsl client and server certificates and sign them with the certificate authority. When creating the certificate do not assign a passphrase to them, just hit the enter button at that point.

2）将服务器证书颁发机构文件导入受信任根目录下的计算机证书存储区。您可以通过在命令提示符处使用MMC命令，然后添加证书管理单元来实现此目的。

2) Import the server certificate authority file into the Machine certificate store under the trusted root. You can get to this by using the MMC command at the command prompt and then adding the Certificates snap in.

3）将服务器证书导入计算机存储个人证书存储区

3) Import the Server certificate into the Machine store Personal certificate store

4）在本地帐户个人存储中导入客户端证书。您可以通过在命令提示符下键入certmgr.msc来执行此操作。

4) Import the client certificate in the local account Personal store. You can do this by typing certmgr.msc at the command prompt.

5）确保Apache运行SSL版本的PHP。如果您已经安装了非PHP版本的PHP，则可以按照以下步骤将Apache服务器配置为使用SSL运行。

5) Make sure to have Apache with a SSL version of PHP running. If you already had a non-php version of PHP installed you can follow these steps to configure your Apache server to run using SSL.

内部 httpd.conff

a) Remove the comment ‘#’ at line : LoadModule ssl_module modules/mod_ssl.so

b) Remove the comment ‘#’ at the line inside `<IfModule ssl_module>`:  Include /extra/httpd-ssl.conf

   and move this line after the block `<IfModule ssl_module>…. </IfModule>`  

在 php.ini

c) Remove the comment ‘;’ at the line which says: extension=php_openssl.dll

6）使用以下步骤配置IIS以使用证书和SSL：

6) Configure IIS to use a certificate and SSL using the following steps:

a) Right click the 'Default Website' node choose 'Properties'

b) 'Directory Security' tab 'Server Certificate' button. Follow the wizard to select the certificate you imported into the store then complete the wizard and return to the 'Directory Security' tab.

c) Under 'Secure Communications' select the 'Edit' button. 

d) Check the 'Require Secure Channel (SSL) checkbox.

7）创建PHP SOAP请求（test（）方法应该是Web中的有效方法服务）：

7) Creating the PHP SOAP request (the test() method should be a valid method in your Web service):

$wsdl = "https://localhost/MyService/myservices.asmx?wsdl";
$local_cert = "C:\\SoapCerts\ClientKeyAndCer.pem";

$soapClient = new SoapClient($wsdl, array('local_cert' => $local_cert));

$theResponse = $soapClient->test();

8）将此文件放入Apache目录。默认情况下：'C：\Program Files\Apache Group\Apache2\htdocs'

8) Place this file into your Apache directory. By Default: 'C:\Program Files\Apache Group\Apache2\htdocs'

9）您需要访问客户端证书。在生成客户端和服务器证书的步骤中，您还生成了私钥文件。打开client_prv.pem（客户端私钥文件）并使用文本编辑器将内容复制到新文档中。使用像Textpad这样的东西可能更安全，希望不会添加一堆特殊字符，证书解析器非常挑剔。私钥部分之后立即放置客户端证书（client_cer.pem）的内容，以便生成的文件是客户端私钥和客户端的未转义副本

9) You will need access to the client certificate. In the steps you took to produce the client and server certificates you also produced the private key files. Open the client_prv.pem (the client private key file) and copy the contents into a new document with a text editor. It is probably safer to use something like Textpad that will hopefully not add a bunch of special characters, certificate parsers are very picky. Immediately after the private key part place the contents of the client certificate (client_cer.pem) so that the resulting file is an un-escaped copy of the client private key and client

证书。将生成的文件保存到您可以从php文件中获取的目录中。在上面的示例中，生成的文件是

certificate. Save the resulting file to a directory you can get to from the php file. In the example above the resulting file is the

'C：\SoapCerts\ClientKeyAndCer.pem'文件。

'C:\SoapCerts\ClientKeyAndCer.pem' file.

9）导航到localhost / nameOfYourFile.php。您应该看到与服务的成功连接，其响应与您的

9) Navigate to localhost/nameOfYourFile.php. You should see a successful connection to the service with a response matching the expected results from your

Web服务方法的预期结果相匹配。

Web service method.

这篇关于使用证书创建PHP SOAP请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！