4

I'm trying to have a specific page on my site only accessible to people after X.509 authentication. Catch is, I want it to be available to all clients who have a matching certificate issued by a specific Intermediate CA (I intend to have a few Intermediate CAs underneath a self-generated Root CA, but only a client certificate issued by one specific Intermediate CA can access this page). Is this possible using PHP?

Let me know if I need to elaborate further, and I'll try and add more detail. Thanks for your help!

TC

TC Fox
  • 980
  • 4
  • 13
  • 25
  • If you're lucky you might find a CGI environment variable to confirm the CA http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#envvars - if the server negotiates the SSL/TLS connection with a clients certificate (if that's what you were attempting). – mario Aug 27 '11 at 02:32

2 Answers2

3

Yes. When you get the cert information using the SSL extension and the openssl_x509_parse function, you'll get access to all the information in the cert. You should be able to do this in your php script:

var_dump(openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']));

You should see in that array that there's an 'issuer' key with an array containing information about the client cert issuer, and I'm going to assume that gets you the information you need.

gview
  • 14,876
  • 3
  • 46
  • 51
  • Took forever to get Apache to behave with my Client Cert, but yes, that's exactly what I need. Thanks! – TC Fox Sep 05 '11 at 08:24
1

if you didn't want to use OpenSSL you could use the latest SVN of phpseclib, a pure PHP X.509 parser. eg.

<?php
include('File/X509.php');

$x509 = new File_X509();
$x509->loadX509($_SERVER['SSL_CLIENT_CERT']);
echo $x509->getIssuerDN(true);
?>
neubert
  • 15,947
  • 24
  • 120
  • 212