openssl_csr_new() not working... getting a 404 error !

From: Tetedeiench (iench_at_altern.org)
Date: 10/05/03

• Next message: KAH: "Re: PHP and Sessions"
• Previous message: JVlad: "Re: PHP IDEs HEEEELP!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: 5 Oct 2003 04:09:53 -0700

Hi !

I am currently changing the server for my website, and i make a heavy
use of openssl functions.

Both servers use PHP4.3.3 with OpenSSL 0.9.6i.

I was actually testing with this code, taken out from PHP's
documentation :

<?php
// Fill in data for the distinguished name to be used in the cert
// You must change the values of these keys to match your name and
// company, or more precisely, the name and company of the person/site
// that you are generating the certificate for.
// For SSL certificates, the commonName is usually the domain name of
// that will be using the certificate, but for S/MIME certificates,
// the commonName will be the name of the individual who will use the
// certificate.
$dn = array(
    "countryName" => "UK",
    "stateOrProvinceName" => "Somerset",
    "localityName" => "Glastonbury",
    "organizationName" => "The Brain Room Limited",
    "organizationalUnitName" => "PHP Documentation Team",
    "commonName" => "Wez Furlong",
    "emailAddress" => "wez@php.net"
);
 
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new();
 
// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey);
 
// You will usually want to create a self-signed certificate at this
// point until your CA fulfills your request.
// This creates a self-signed cert that is valid for 365 days
$sscert = openssl_csr_sign($csr, null, $privkey, 365);
 
// Now you will want to preserve your private key, CSR and self-signed
// cert so that they can be installed into your web server, mail
server
// or mail client (depending on the intended use of the certificate).
// This example shows how to get those things into variables, but you
// can also store them directly into files.
// Typically, you will send the CSR on to your CA who will then issue
// you with the "real" certificate.
openssl_csr_export($csr, $csrout) and debug_zval_dump($csrout);
openssl_x509_export($sscert, $certout) and debug_zval_dump($certout);
openssl_pkey_export($privkey, $pkeyout, "mypassword") and
debug_zval_dump($pkeyout);
 
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
    echo $e . "\n";
}
?>

It is working perfectly fine on my previous server ( as it should).
However, not on the new server.

What is strange is I am not getting any error return. Just a plain
"Page not found" error. The error occurs whenever I put a
openssl_csr_new() call in my page. I can generate private key
flawlessly, but not generate any certificate...

Do you have any idea of what is happening ?

Both server's are using PHP of the same version, OpenSSL too ( same
version). the only noticeable difference is :
-The new one is using ZEND performance suite ( licensed )

-New server ( failing) configure command :
Configure Command './configure'
'--with-apxs=/usr/local/apache/bin/apxs' '--with-dbase'
'--with-filepro' '--with-xml' '--enable-ftp' '--with-db'
'--enable-bcmath' '--enable-calendar' '--with-jpeg-dir'
'--with-png-dir' '--with-gd' '--enable-gd-native-ttf'
'--with-freetype-dir' '--with-gettext' '--with-pgsql=/usr'
'--with-mysql=/usr' '--with-zlib-dir' '--enable-trans-sid'
'--with-imap' '--with-kerberos' '--with-imap-ssl' '--with-openssl'
'--enable-sysvsem' '--enable-sysvshm' '--with-curl=/usr/local/lib'

-Old server ( OK) configure commands :
'./configure' '--enable-discard-path'
'--with-config-file-path=/usr/local/lib' '--enable-sigchild'
'--enable-magic-quotes' '--enable-short-tags' '--with-exec-dir=/home/'
'--with-openssl' '--disable-rpath' '--enable-libgcc' '--disable-pic'
'--with-zlib=/' '--enable-bcmath' '--enable-calendar'
'--with-curl=/usr/local' '--with-gdbm=/usr'
'--with-db3=/usr/local/BerkeleyDB.3.3' '--enable-dbase'
'--enable-xslt' '--with-xslt-sablot' '--with-dom' '--with-dom-xslt'
'--with-dom-exslt' '--enable-exif' '--enable-mbstring'
'--enable-mbregex' '--enable-filepro' '--enable-ftp'
'--with-ming=/usr/local' '--with-gd=/usr/local'
'--enable-gd-native-tt' '--with-jpeg-dir=/usr'
'--with-png-dir=/usr/local' '--with-ttf=/usr/local'
'--with-t1lib=/usr' '--with-gettext=/usr' '--with-imap=/usr/local'
'--with-kerberos' '--with-imap-ssl' '--with-mcrypt=/usr/local'
'--with-mhash=/usr/local' '--with-mysql=/usr'
'--with-pdflib=/usr/local' '--with-jpeg-dir=/usr'
'--with-png-dir=/usr/local' '--with-tiff-dir=/usr'
'--with-sablot=/usr/local' '--with-expat-dir=/usr'
'--enable-trans-sid' '--with-regex=system' '--enable-sysvsem'
'--enable-sysvshm' '--enable-wddx' '--with-zziplib=/usr'
'--enable-inline-optimization' '--with-gnu-ld'

Thanks for your help ! It's been 2 days I'm stuck on that thing :( :(

tetedeiench

---

• Next message: KAH: "Re: PHP and Sessions"
• Previous message: JVlad: "Re: PHP IDEs HEEEELP!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Private key generation ... As I wrote in my first answer to that thread - there are many situations when key pair is generated on trusted server. ... identity based encryption) simply requires generation of private key on server... ... High assurance keys (especially these that afterward are split in multiple shares using secret sharing schemes) may also require use of specialized equipment and computers that runs in a tempest/EM shielded locations. ... Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys. ... (microsoft.public.dotnet.security) RPC over HTTP, Microsoft solution ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ... (microsoft.public.exchange.setup) Re: Certificate key access under Network Service in IIS 6 ... Haven't done that because I've been remoted in to the customer's server. ... It is likely the private key file but might be a registry key as well. ... I can get the signing process to work if I have the IIS Application Pool configured to run under SYSTEM but running under the preferred NETWORK SERVICE account the private key access of the certificate fails. ... (microsoft.public.dotnet.security) Re: OWA 2003 w/ Smart Card Authentication. ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ... (microsoft.public.exchange.connectivity) Re: How to use certificates? ... I expect that server will know the client public key, ... > private key for that certificate. ... (microsoft.public.dotnet.framework.webservices.enhancements)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)