function CreateNewCA() { if (!$GLOBALS['isCA']) { return false; } // CA私钥 $CAPrivKey = new Crypt_RSA(); $keyArray = $CAPrivKey->createKey($GLOBALS['RSALength']); $CAPrivKey->loadKey($keyArray['privatekey']); $pubKey = new Crypt_RSA(); $pubKey->loadKey($keyArray['publickey']); $pubKey->setPublicKey(); // CA 公钥 x509 $subject = new File_X509(); $subject->setDNProp('id-at-organizationName', $GLOBALS['CAname'] . ' CA'); $subject->setPublicKey($pubKey); $issuer = new File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject = $subject->getDN()); $x509 = new File_X509(); $x509->makeCA(); $result = $x509->sign($issuer, $subject); setConfig_CAPublishX509($x509->saveX509($result)); setConfig_CAPrivateKey($keyArray['privatekey']); return true; }
/** * @param array $keyPair * Array with elements: * - privatekey: string. * - publickey: string. * @param string $dn * Distinguished name (e.g. "/O=TestOrg"). * @return string * Certificate data. */ public static function create($keyPair, $dn) { $privKey = new \Crypt_RSA(); $privKey->loadKey($keyPair['privatekey']); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($keyPair['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setDN($dn); $subject->setPublicKey($pubKey); $issuer = new \File_X509(); $issuer->setPrivateKey($privKey); $issuer->setDN($dn); $x509 = new \File_X509(); $x509->makeCA(); $x509->setEndDate(date('c', strtotime(Constants::CA_DURATION, Time::getTime()))); $result = $x509->sign($issuer, $subject, Constants::CERT_SIGNATURE_ALGORITHM); return $x509->saveX509($result); }
$CAPrivKey->loadKey($privatekey); $pubKey = new Crypt_RSA(); $pubKey->loadKey($publickey); $pubKey->setPublicKey(); echo "the private key for the CA cert (can be discarded):\r\n\r\n"; echo $privatekey; echo "\r\n\r\n"; // create a self-signed cert that'll serve as the CA $subject = new File_X509(); $subject->setDNProp('id-at-organizationName', 'phpseclib demo CA'); $subject->setPublicKey($pubKey); $issuer = new File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject = $subject->getDN()); $x509 = new File_X509(); $x509->makeCA(); $result = $x509->sign($issuer, $subject); echo "the CA cert to be imported into the browser is as follows:\r\n\r\n"; echo $x509->saveX509($result); echo "\r\n\r\n"; // create private key / x.509 cert for stunnel / website $privKey = new Crypt_RSA(); extract($privKey->createKey()); $privKey->loadKey($privatekey); $pubKey = new Crypt_RSA(); $pubKey->loadKey($publickey); $pubKey->setPublicKey(); $subject = new File_X509(); $subject->setDNProp('id-at-organizationName', 'phpseclib demo cert'); $subject->setPublicKey($pubKey); $issuer = new File_X509();
protected function execute(InputInterface $input, OutputInterface $output) { $helper = $this->getHelper('question'); // ask fields $options = ['countryName' => 'CN', 'stateOrProvinceName' => 'Shanghai', 'localityName' => 'Shanghai']; if (!$input->getOption('default')) { foreach ($options as $ask => $default) { $q = new Question($ask . '[' . $default . ']: ', $default); $options[$ask] = $helper->ask($input, $output, $q); } } $output->writeln('Generating CA private key...'); $CAPrivKey = new \Crypt_RSA(); $key = $CAPrivKey->createKey(2048); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.key', $key['privatekey']); $output->writeln('Generating self-signed CA certificate...'); $CAPrivKey->loadKey($key['privatekey']); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($key['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setDNProp('id-at-organizationName', 'OpenVJ Certificate Authority'); foreach ($options as $prop => $val) { $subject->setDNProp('id-at-' . $prop, $val); } $subject->setPublicKey($pubKey); $issuer = new \File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject = $subject->getDN()); $x509 = new \File_X509(); $x509->setStartDate('-1 month'); $x509->setEndDate('+3 year'); $x509->setSerialNumber(chr(1)); $x509->makeCA(); $result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption'); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.crt', $x509->saveX509($result)); $output->writeln('Generating background service SSL private key...'); $privKey = new \Crypt_RSA(); $key = $privKey->createKey(2048); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.key', $key['privatekey']); $privKey->loadKey($key['privatekey']); $output->writeln('Generating background service SSL certificate...'); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($key['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setPublicKey($pubKey); $subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Certificate'); foreach ($options as $prop => $val) { $subject->setDNProp('id-at-' . $prop, $val); } $subject->setDomain('127.0.0.1'); $issuer = new \File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject); $x509 = new \File_X509(); $x509->setStartDate('-1 month'); $x509->setEndDate('+3 year'); $x509->setSerialNumber(chr(1)); $result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption'); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.crt', $x509->saveX509($result)); $output->writeln('Generating background service client private key...'); $privKey = new \Crypt_RSA(); $key = $privKey->createKey(2048); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.key', $key['privatekey']); $privKey->loadKey($key['privatekey']); $output->writeln('Generating background service client certificate...'); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($key['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setPublicKey($pubKey); $subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Client Certificate'); foreach ($options as $prop => $val) { $subject->setDNProp('id-at-' . $prop, $val); } $issuer = new \File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject); $x509 = new \File_X509(); $x509->setStartDate('-1 month'); $x509->setEndDate('+3 year'); $x509->setSerialNumber(chr(1)); $x509->loadX509($x509->saveX509($x509->sign($issuer, $subject, 'sha256WithRSAEncryption'))); $x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment', 'dataEncipherment')); $x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth')); $result = $x509->sign($issuer, $x509, 'sha256WithRSAEncryption'); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.crt', $x509->saveX509($result)); }