过去使用 OpenSSL 和 PHP 设置 x509 证书的 notBefore [英] Set notBefore of x509 certificate in the past using OpenSSL and PHP

问题描述

签署证书请求的服务器的内部时钟显然比客户端时钟快几秒钟.因此，当我签署 csr 时，我需要在过去几秒钟的证书中设置Not before".我不想设置服务器的内部时钟，因为这似乎是一个骇人听闻的解决方案.

The internal clock of my server that signs certificate requests is apparently a few seconds faster that the client clocks. Therefore I need to set the "Not before" in the certificate a few seconds in the past when I sign a csr. I do not want to set back the internal clock of the server since that seems like a hackish solution.

目前我签署了 csr 并使用以下方法生成证书:

Currently I sign the csr and generate a certificate using:

$usercert = @openssl_csr_sign($csr, $cacert, $privkey, intval(CERT_VAL_PERIOD), $cnf);

有什么办法可以通过修改openssl.cnf或使用不同的签名功能来实现我想要的吗?

Is there any way to achieve what I want by modifying openssl.cnf or using a different signing function?

推荐答案

使用 phpseclib 的纯 PHP X509实施...

<?php
include 'File/X509.php';
include 'Crypt/RSA.php';

$subject = new File_X509();
$subject->loadCSR($csr);

$privkeyobj = new Crypt_RSA();
$privkeyobj->loadKey($privkey);

$issuer = new File_X509();
$issuer->loadX509($cacert);
$issuer->setPrivateKey($privkeyobj);

$x509 = new File_X509();
$x509->setSerialNumber(pack('N', time()));
$x509->setStartDate('-1 day'); // or -1 hour or whatever
$x509->setEndDate('+' . intval(CERT_VAL_PERIOD) . ' days'); // or +365 days - 2 hours or whatever

$result = $x509->sign($issuer, $subject);
echo $x509->saveX509($result);

这篇关于过去使用 OpenSSL 和 PHP 设置 x509 证书的 notBefore的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！