Menu
I am attempting to create a PHP SOAP connection to a .NET Web Service that has a self-signed certificate in order to lock down the service for communication over HTTPS. I continue to get error's and I'm not sure if it has something to do with the way I create the certificate, my Apache/PHP setup, the way I attempt to establish the SOAP request or something else. If anyone has any pointers they will be greatly appreciated. Thanks in advance.
This is how I am creating the certificate.
Create the trusted root private key:
genrsa -out ca_authority_prv.pem 2048
Create the trusted root authority cert:
req -new -key ca_authority_prv.pem -x509 -out ca_authority_cert.pem
Make the cert authority trusted:
x509 -in ca_authority_cert.pem -out ca_authority_trust.pem -trustout
Exit OpenSSL and create a serial file:
echo 1000 > ca_authority.srl
Create the client private key:
genrsa -out Client_prv.pem 2048
Create the client request:
req -new -key Client_prv.pem -out Client_req.pem
Sign the client request with the CA:
x509 -req -CA ca_authority_trust.pem -CAserial ca_authority.srl -CAkey ca_authority_prv.pem -in Client_req.pem -out Client_cert.pem
Make the pfx for the client cert
pkcs12 -export -in Client_cert.pem -inkey Client_prv.pem -out Client_cert.pfx
Once this certificate is created I follow the same steps for a server certificate and:
Add the trusted root CA to the Machine Trusted Root Store
Add the server certificate to the machine store
Setup IIS to use the server certificate and require client certificates
This is the code I am using to establish the PHP SOAP request (below is the error):
$wsdl = "https://localhost/MyService/MyService.asmx";
$local_cert = "C:\\Certs\client_cert.pem";
$passphrase = "openSaysMe";
$soapClient = new SoapClient($wsdl, array('local_cert'=> $local_cert,'passphrase'=>$passphrase));
$theResponse = $soapClient->test();
Warning: SoapClient::SoapClient() [soapclient.soapclient]: Unable to set private key file `C:\Certs\client_cert.pem' in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Warning: SoapClient::SoapClient() [soapclient.soapclient]: failed to create an SSL handle in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Warning: SoapClient::SoapClient() [soapclient.soapclient]: Failed to enable crypto in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Warning: SoapClient::SoapClient(https://localhost/MyService/MyService.asmx) [soapclient.soapclient]: failed to open stream: operation failed in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "https://localhost/MyService/MyService.asmx" in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 53
Error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost/MyService/MyService.asmx'
PHP Warning: SoapClient::SoapClient() [<a href='soapclient.soapclient'>soapclient.soapclient</a>]: failed to create an SSL handle in C:\\Program Files\\Apache Group\\Apache2\\htdocs\\soapWithAuth.php on line 54
330
A side note: there is a way to make successful SOAP request and keep the private key and certificate file separated. To do this, you have to create a stream context and pass that as the context option:
<?php
$wsdl = "https://localhost/MyService/MyService.asmx";
$context = stream_context_create(
array(
"ssl" => array(
"local_cert" => "C:\\Certs\client_cert.pem",
"local_pk" => "/path/to/private/key"
)
)
);
$client = new \SoapClient($wsdl, array("context" => $context));
I managed to get this working but there are some oddities that I wonder about. Specifically the need to combine the client certificate and private key into a single file to send along with the Soap Request as well as the certificate pass-phrase was breaking the request although the PHP Soap documentation explicitly includes it as an option. If anyone has input on how to improve this I would love to hear it.
1) Create the OpenSsl client and server certificates and sign them with the certificate authority. When creating the certificate do not assign a passphrase to them, just hit the enter button at that point.
2) Import the server certificate authority file into the Machine certificate store under the trusted root. You can get to this by using the MMC command at the command prompt and then adding the Certificates snap in.
3) Import the Server certificate into the Machine store Personal certificate store
4) Import the client certificate in the local account Personal store. You can do this by typing certmgr.msc at the command prompt.
5) Make sure to have Apache with a SSL version of PHP running. If you already had a non-php version of PHP installed you can follow these steps to configure your Apache server to run using SSL.
Inside httpd.conff
a) Remove the comment ‘#’ at line : LoadModule ssl_module modules/mod_ssl.so
b) Remove the comment ‘#’ at the line inside `<IfModule ssl_module>`: Include /extra/httpd-ssl.conf
and move this line after the block `<IfModule ssl_module>…. </IfModule>`
Inside php.ini
c) Remove the comment ‘;’ at the line which says: extension=php_openssl.dll
6) Configure IIS to use a certificate and SSL using the following steps:
a) Right click the 'Default Website' node choose 'Properties'
b) 'Directory Security' tab 'Server Certificate' button. Follow the wizard to select the certificate you imported into the store then complete the wizard and return to the 'Directory Security' tab.
c) Under 'Secure Communications' select the 'Edit' button.
d) Check the 'Require Secure Channel (SSL) checkbox.
7) Creating the PHP SOAP request (the test() method should be a valid method in your Web service):
$wsdl = "https://localhost/MyService/myservices.asmx?wsdl";
$local_cert = "C:\\SoapCerts\ClientKeyAndCer.pem";
$soapClient = new SoapClient($wsdl, array('local_cert' => $local_cert));
$theResponse = $soapClient->test();
8) Place this file into your Apache directory. By Default: 'C:\Program Files\Apache Group\Apache2\htdocs'
9) You will need access to the client certificate. In the steps you took to produce the client and server certificates you also produced the private key files. Open the client_prv.pem (the client private key file) and copy the contents into a new document with a text editor. It is probably safer to use something like Textpad that will hopefully not add a bunch of special characters, certificate parsers are very picky. Immediately after the private key part place the contents of the client certificate (client_cer.pem) so that the resulting file is an un-escaped copy of the client private key and client
certificate. Save the resulting file to a directory you can get to from the php file. In the example above the resulting file is the
'C:\SoapCerts\ClientKeyAndCer.pem' file.
9) Navigate to localhost/nameOfYourFile.php. You should see a successful connection to the service with a response matching the expected results from your
Web service method.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With