0

I can create a ssl key and certificate with the following script:

<?php
$name='example_ss';  //Will add _key.pem, _crt.pem, _csr.pem
$data = [
    "countryName" => "US",
    "stateOrProvinceName" => "CA",
    "localityName" => "San Francisco",
    "organizationName" => "example.net",
    "organizationalUnitName" => "example.net",
    "commonName" => "example.net",
    "emailAddress" => "exampleATgmailDOTcom"
];
$pem_passphrase = 'secret';

// Generate certificate
$key = openssl_pkey_new();
$csr = openssl_csr_new($data, $key);
$csr = openssl_csr_sign($csr, null, $key, 365);

// Generate PEM file
$pem = [];
openssl_x509_export($csr, $pem[0]);
file_put_contents($name.'_crt.pem', $pem[0]);
//openssl_pkey_export($key, $pem[1], $pem_passphrase); //Remove $pem_passphrase for none
openssl_pkey_export($key, $pem[1]); //Remove $pem_passphrase for none
$pem = implode($pem);

file_put_contents($name.'_key.pem', $pem);

Move them as required:

sudo mv example_ss_crt.pem /etc/pki/tls/certs/example_ss_crt.pem
sudo mv example_ss_key.pem /etc/pki/tls/private/example_ss_key.pem

And everything works find.

But when I create them manually: (w/ and w/o using -sha256)

openssl req -x509 -newkey rsa:4096 -keyout example_ss_key.pem -out example_ss_crt.pem -days 365 -nodes

And move them as I did for the previous, I get the following error:

Unable to complete SSL/TLS handshake: stream_socket_enable_crypto():
Unable to set local cert chain file `/etc/pki/tls/private/example_ss_key.pem';
Check that your cafile/capath settings include details of your certificate and its issuer

What is the difference between these two sets of keys and how do I create them manually? I don't think it is relevant, but they are being used for a tcp sockets connection between Centos7 and a Raspberry Pi.

EDIT. The server is created with the following script. I am not using a passphrase.

    $loop = \React\EventLoop\Factory::create();
    $server = new \React\Socket\TcpServer($this->host['url'].':'.$this->host['port'], $loop);
    if($this->host['tls']) {
        $server = $this->host['privateKey']
        ?new \React\Socket\SecureServer($server, $loop, ['local_cert' => $this->host['privateKey'],'passphrase' => $this->host['passphrase'] ])
        :new \React\Socket\SecureServer($server, $loop, ['local_cert' => $this->host['privateKey'] ]);
    }

Dummy mistake. http://php.net/manual/en/context.ssl.php

local_cert string Path to local certificate file on filesystem. It must be a PEM encoded file which contains your certificate and private key. It can optionally contain the certificate chain of issuers. The private key also may be contained in a separate file specified by local_pk

.

user1032531
  • 24,767
  • 68
  • 217
  • 387
  • You don't say where the error message is coming from and you only show the code to generate the certificate and not where you use it. The error message *Unable to set local cert chain file ... example_ss_key.pem* suggests that you've used they key file `example_ss_key.pem` as certificate and not as key. – Steffen Ullrich Jun 18 '17 at 19:07
  • @SteffenUllrich Error occurs when client attempts to connect. I am pretty sure I am using the right ones, but could be wrong. The funny part is how the first key works when I use the php script to create it. I am now thinking maybe I need to combine them? – user1032531 Jun 18 '17 at 19:17
  • Combining key and cert into a single file should at least make it impossible to inadvertently switch the file names for key and cert, which I suspect is the case in your (still unknown) code. – Steffen Ullrich Jun 18 '17 at 19:25
  • @SteffenUllrich I will check in detail. Given your confidence, I suspect you are correct as well. – user1032531 Jun 18 '17 at 19:29
  • @SteffenUllrich Yes, you are correct. Thank you – user1032531 Jun 18 '17 at 19:33
  • @SteffenUllrich I don't know what is going on!!! I switched them, and it still doesn't work. Then I combined them, and it works. Why? Thanks – user1032531 Jun 18 '17 at 19:43
  • @SteffenUllrich Turns out I didn't read the man. See end of my original post. – user1032531 Jun 18 '17 at 19:53

0 Answers0