Menu
I need to open remote resources that are signed by a private company's Certificate Authority. Right now, PHP won't open the resources because it doesn't trust the certificate signer.
I know you can do certificates with the stream context object, but I'm looking for a way to give PHP the public key of a new Certificate Authority and have the file() and similar methods trust remote certificates signed by that authority without having to create a stream context each time.
Is there a way to add a new Certificate Authority to php.ini? I tried adding the CA's public key to /etc/ssl/certs/, but it doesn't seem to be recognized.
471
Curl uses a single file with all of the CA's in it. To add a new CA to Curl/PHP, you need to get a complete bundle, add your cert to the bundle, then tell PHP to use the custom bundle.
Download the latest bundle from CURL and save it to /etc/ssl/certs/cacert.pem:
curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem
Edit the /etc/ssl/certs/cacert.pem file, and add your new CA public key to the bottom.
Edit php.ini and add the line openssl.cafile=/etc/ssl/certs/cacert.pem to the top (or bottom).
Restart the webserver.
138
I figured out following steps:
Find your php.ini with
php -i | grep "Loaded Configuration File"
Inside php.ini verify/specify path to the certs
curl.cainfo =/your/path/cacert.pem
openssl.cafile=/your/path/cacert.pem
And the trickiest part:
If you need a custom certificate to be added append it to /your/path/cacert.pem
It looks like this:
-----BEGIN CERTIFICATE-----
BLABLABLABLABLABLABLABLABLA
BLABLABLABLABLABLABLABLABLA
-----END CERTIFICATE-----
I didn't have to restart anything in my case (only PHP script itself) but I guess it depends.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
