OpenSSL真的需要一个路径openssl.conf？ [英] Does OpenSSL really need a path to openssl.conf?

问题描述

我想在PHP 5.x中创建自签名证书。与我自己的（替代）openssl配置，应该由我的PHP代码定义。 PHP脚本将在不同的环境（共享托管网络服务器）上运行。

官方 PHP手册说：

默认情况下，系统中的信息openssl.conf用于初始化请求;您可以通过设置configargs的config_section_section键来指定配置文件节。您还可以通过将config键的值设置为要使用的文件的路径来指定备用openssl配置文件。以下键（如果存在于configargs中）在openssl中的行为与其等效.conf，如下表所列.....

我的问题：有什么原因我必须指定路径到openssl.conf显式，因为它似乎没有它工作正常：

  $ Configs = array（
' digest_alg'=>'sha1'，
'x509_extensions'=>'v3_ca'，
'req_extensions'=>'v3_req'，
'private_key_bits'=& b $ b'private_key_type'=> OPENSSL_KEYTYPE_RSA，
'encrypt_key'=> true，
'encrypt_key_cipher'=> OPENSSL_CIPHER_3DES 
）; 
 
 $ privkey = openssl_pkey_new（）; 
 $ csr = openssl_csr_new（$ dn，$ privkey，$ Configs）; 
 $ sscert = openssl_csr_sign（$ csr，null，$ privkey，365，$ Configs）; 
   
 
 
 
 编辑：
 
 
 
在 PHP手册的用户提供的笔记中，为什么他们总是指定到openssl.cnf的路径？例如：
  $ configargs = array（
'config'=>'/ etc / ssl / openssl。 cnf'，
'digest_alg'=>'md5'，
'x509_extensions'=>'v3_ca'，
'req_extensions'=>'v3_req'，
' private_key_bits'=> 666，
'private_key_type'=> OPENSSL_KEYTYPE_RSA，
'encrypt_key'=> false，
）; 
  
 
 
解决方案
 OpenSSL中有许多配置设置，在PHP中由$ configargs（传递给OpenSSL函数的PHP参数）定义。
 
 
 
如果不指定备用openssl配置文件，默认openssl.cnf。
 
 
 
建议：由于您的脚本将在不同的服务器上运行，因此您应该始终使用自己的openssl.cnf。
 
 
 
只需创建一个简单的文本文件，并将以下4行。然后将路径传递给您正在使用的OpenSSL函数（查看上面的第二个示例）。
  distinguished_name = req_distinguished_name 
 [req_distinguished_name] 
 [v3_req] 
 [v3_ca] 
  
似乎这4行是最小的openssl.cnf必须包含的。
 
I want to create a self-signed-certificate in PHP 5.x. with my own (alternative) openssl configuration which should be defined by my PHP code. The PHP script will run on different environments (shared hosting webservers).

The official PHP Manual says:

  
By default, the information in your system openssl.conf is used to initialize the request; you can specify a configuration file section by setting the config_section_section key of configargs. You can also specify an alternative openssl configuration file by setting the value of the config key to the path of the file you want to use. The following keys, if present in configargs behave as their equivalents in the openssl.conf, as listed in the table below.....
My question: Is there a reason why I have to specify the path to openssl.conf explicitly, because it seems to work fine without it:
$Configs = array(       
    'digest_alg' => 'sha1',
    'x509_extensions' => 'v3_ca',
    'req_extensions' => 'v3_req',
    'private_key_bits' => 1024,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => true,
    'encrypt_key_cipher' => OPENSSL_CIPHER_3DES
);

$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey, $Configs);
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $Configs);
Edit:

In the user contributed notes on the PHP Manual, why do they always specify a path to openssl.cnf? For example:
$configargs = array(
    'config' => '/etc/ssl/openssl.cnf',
    'digest_alg' => 'md5',
    'x509_extensions' => 'v3_ca',
    'req_extensions'   => 'v3_req',
    'private_key_bits' => 666,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => false,
);

解决方案
There are many configuration settings in OpenSSL that can't be defined in PHP by $configargs (the PHP parameters you pass to the OpenSSL functions).

If you don't specify an alternative openssl configuration file, it will automatically take the default openssl.cnf.

Recommendation: Since your script will run on different servers, you should always use your own openssl.cnf.

Just create a simple text file and put the following 4 lines in it. Then pass the path to it to the OpenSSL function you are using (look at your second example above).
distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]
It seems that these 4 lines are the minimum openssl.cnf must contain.

                        
这篇关于OpenSSL真的需要一个路径openssl.conf？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！