0

I have a question about building a authentication system with SSL certificates. My Idea is to store the data in the database(I know how to do that) and when the user gives the certificate the system to check the cert values and to know where to put the user. But there are some things that are not quite clear(I might sound nooby, but don't judge me)

  1. How to make the certificate with PHP?
  2. How to make the system to request a specific details from the client?(As is on StartSSL)
  3. Do I have to sign the private certificate or something?

P.S: I am using HostGator Business Plan if this makes any difference. I have requested them to issue a private ssl certificate.

Improve this question

2 Answers 2

Reset to default
1

I have never used StartSSL however many individuals and companies alike use SSL APIs and auth now, like the new(ish) Facebook sdk.

Note that self signed certificates are not supported as a valid security mechanism by many browsers and other software.

You cannot make SSL certificates in PHP, instead you must make then using a tool like OpenSSL. Here is a brief tutorial I found on Google: http://www.akadia.com/services/ssh_test_certificate.html .

SSL is mainly designed to make the transference of data across the line a little more secure and when reading in connections through PHP you would validate the certificate to see if it matches the one it is supposed to (http://stackoverflow.com/questions/3081042/how-to-get-ssl-certificate-info-with-curl-in-php) much like how a browser downloads a sites SSL cert and then uses that to create a secure connection. I wouldn't imagine you would have a certificate per user.

After this all your data goes over HTTPS rather than HTTP allowing for SSL auth.

Depending on the SSL auth system, if it is an API then your cURL request would be sent over HTTPS rather than HTTP.

If you are making this for a login page on a website then it is a lot simpler than I have said above (well in theory, there are still a lot of thing you can mess up). If you are doing this then you would simply add the SSL cert to your server and then add it to your server config (another quick tutorial for Apache from Google: http://www.digicert.com/ssl-certificate-installation-apache.htm ) and then literally proceed as you normally would redirecting the user to a https of the login page and the login processing page (making sure you have a vhost for 443 if your in Apache).

Edit: Openssl does have a PHP API as I just remembered so I was wrong there.

This is how I see SSL auth going down.

Improve this answer
Sign up to request clarification or add additional context in comments.

15 Comments

What if i sign the certificate with a valid CA? openssl_csr_sign(); requires a CA if I have one and I have =D wont the certificate be valid ?
@D.Dimitrov Indeed if it signed by a valid provider it will be counted as valid, it is only when you self sign it that problems occur.
@D.Dimitrov so to answer Do I have to sign the private certificate or something? No, you would get your CA to sign it.
So I have to sign them with the CA.cert of the issuer of the site certificate or it doesn't matter as long as it is signed with a valid CA ?
@D.Dimitrov Don't matter so long as it is signed by some one who is authorised so be sure to shop around for a cheaper deal if you think your hosting provider (the one who activated the certs) is ripping you off. Though their activation of the cert might include signing, so check that with them, you may have hit two birds with one stone.
|
0

1) Method for create new SSL certificate with PHP^

    $dn = array(
        "countryName" => 'Country',
        "organizationName" => 'Org',
        "commonName" => 'Common name',
        "emailAddress" => '[email protected]',
    );

    $configArgs = array(
        'digest_alg' => 'SHA1',
    );

    $clientKey = openssl_pkey_new();
    $csr = openssl_csr_new($dn, $clientKey, $configArgs);

    $password = trim(base64_encode(openssl_random_pseudo_bytes(8)), '/=');

    $cert = openssl_csr_sign(
        $csr,
        'file:///etc/ssl/ca/ca.pem',
        'file:///etc/ssl/ca/ca.pem',
        1095,
        $configArgs,
        $serial
    );

    openssl_pkcs12_export($cert, $clientCertPkcs12, $clientKey, $password);
    openssl_x509_free($cert);
    $sslData = array(
        'serial' => $serial, // random serial
        'sslkey' => $password,
        'created_at' => time(),
        'sslpfx' => $clientCertPkcs12
    );

    openssl_pkey_free($clientKey);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.