问题描述
签署证书请求的服务器的内部时钟显然比客户端时钟快几秒钟.因此,当我签署 csr 时,我需要在过去几秒钟的证书中设置Not before".我不想设置服务器的内部时钟,因为这似乎是一个骇人听闻的解决方案.
The internal clock of my server that signs certificate requests is apparently a few seconds faster that the client clocks. Therefore I need to set the "Not before" in the certificate a few seconds in the past when I sign a csr. I do not want to set back the internal clock of the server since that seems like a hackish solution.
目前我签署了 csr 并使用以下方法生成证书:
Currently I sign the csr and generate a certificate using:
$usercert = @openssl_csr_sign($csr, $cacert, $privkey, intval(CERT_VAL_PERIOD), $cnf);
有什么办法可以通过修改openssl.cnf或使用不同的签名功能来实现我想要的吗?
Is there any way to achieve what I want by modifying openssl.cnf or using a different signing function?
推荐答案
使用 phpseclib 的纯 PHP X509实施...
<?php
include 'File/X509.php';
include 'Crypt/RSA.php';
$subject = new File_X509();
$subject->loadCSR($csr);
$privkeyobj = new Crypt_RSA();
$privkeyobj->loadKey($privkey);
$issuer = new File_X509();
$issuer->loadX509($cacert);
$issuer->setPrivateKey($privkeyobj);
$x509 = new File_X509();
$x509->setSerialNumber(pack('N', time()));
$x509->setStartDate('-1 day'); // or -1 hour or whatever
$x509->setEndDate('+' . intval(CERT_VAL_PERIOD) . ' days'); // or +365 days - 2 hours or whatever
$result = $x509->sign($issuer, $subject);
echo $x509->saveX509($result);
这篇关于过去使用 OpenSSL 和 PHP 设置 x509 证书的 notBefore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!