SSL and cURL 1

[Neily]

We have a 2 Windows servers.

One runs IIS which is configured to use SSL and require a client certificate. It is also the Root CA using Windows CA services.

The second runs WAMP and a PHP site using cURL.

We can get SSL to work without client certs, but can't generate a client certificate that works.

Can someone please help us with generating a client cert of the correct format and also point out which CURLOPTS to use?

Thanks
Neil

 

[jpadie]

you want to make sure that the key and certificate are separated. and that you have both. Use PEM if you can.

$c = curl_init($url);
$opts = array(
CURLOPT_SSL_VERIFYPEER=>true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYHOST =>true,
CURLOPT_CAINFO => '/path/to/ca.crt',
CURLOPT_SSLKEY => '/path/to/client.key',
CURLOPT_SSLCERT => '/path/to/client.crt',
CURLOPT_SSLCERTTYPE => 'PEM',
CURLOPT_SSLKEYTYPE => 'PEM');
curl_set_opts($c, $opts);

try the above. you might not need options 1 and 3 if you don't care about peer verification.

 

[Neily]

Hi JPadie,

Other than the odd option we never used, that is pretty much what we did.

So, I think it must be a problem with our certs. We use OpenSSL to generate a CSR that we then sign with out Windows CA.

Do you know what the correct commands would be so that we get the correct key and cert types, but can sign with our WinCA?

Thanks

 

[jpadie]

i use mac's, so am not familliar with windows CA management. i suggest you ask in the Win Server forum.

personally, when I did use windows, i did not use the built in CA but instead used easy-rsa distributed with openssl.

but, to be clear, you should have the keys in separated PEM format. ideally ASCII.

have you examined the contents of curl_error() to see if anything else may be wrong?

 

[Neily]

The curl_error() says something like:

"58 - unable to set certificate file (wrong password?)"

If I disable the requriement for client certificates it all works, but I need to use client certs.

 

[jpadie]

ah. then you have to supply the password for the certificate too.
check out these options;
CURLOPT_SSLCERTPASSWD
CURLOPT_SSLKEYPASSWD

 

[Neily]

We tried that, but still the error remained.

I've used the WinCA before, but not really with client certs.

We are trying out an OpenSSL CA now, so hopefully this will be better. I'll post my results.

Thanks

 

[jpadie]

i've always found easy-rsa to be the easiest and quickest to use. wrongly or rightly i do NOT use password protected certs either.

 

[Neily]

I've setup OpenSSL as out CA and again with just a server cert it works as before.

I created a client csr and signed it with openssl, but when I use it with CURL I now get:

ERROR 22: The requested URL returned error: 403

Any ideas?

 

[jpadie]

have you separated the key and ensured that both cert and key are in PEM format?
are you able to use the cert and key to access the resource in a browser?

 

[DonQuichote]

I had the same problems, but the recieving party had absolutely no knowledge whatsoever about certificates. Me neither, but at least I was willing to find out about them. So I had to do the diagnosing for both sides. If you did not already do so, download the curl command-line client. Forget PHP until you can connect from the command-line. Read the help. That should keep you busy for more than an hour, but this hour is well spent. Make notes. There are a lot of options that you can use. One of the problems I encountered was that I had to contact an URL that was not known in any nameserver. They told us to adapt the "host file" but we could not do that. (technically we could, but then we could not test and be live at the same moment, as the host files were conflicting for those environments). So I had to add an HTTP header, connect by IP address and give the option --insecure to suppress the name lookup warning.

You will find that the verbose output of the command-line client will tell you a lot (make sure you also get the HTTP headers) and give you a lot of options to tailor the request. Once you are able to connect from the command-line, look up the corresponding PHP constants and do it in PHP.

Good luck!


+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[Neily]

With certs imported into IE, it gives us 403.

We also seem to be getting errors where our key doesn't match the cert.

I've read so much, I'm getting slightly confused!

 

[jpadie]

well since IE exhibits the same behaviour as curl you've ruled out php as being an issue.

what do the server logs say?

and ... you are using the newly generated server certs on the web server, aren't you?

and ... is the hostname properly set in the server certificate (so that it matches the domain)?

 

[jpadie]

i know nothing about windows anymore, but does this tutorial assist you:

http://www.isaserver.org/tutorials/Publishing_Web_Sites_using_Client_Certificate_Authentication.html

 

[Neily]

Thanks to all who replied.

We eventually got it working, however, it seems that there was something wrong elsewhere.

Its now working perfectly, and I did use some of the tips above to help me anyway!

Thanks

 

[jpadie]

excellent. are you able to post your final solution to assist future readers?