Search code examples
phpcurlpublic-key-encryptionpem

Source of PEM files for web service access


I should have paid more attention to my classes that covered security. I'm quite confused about something. To start, here's the background of what I'm trying to accomplish.

I have a web service that I need to access. The web service is set up as HTTPS. The traffic between client and server is encrypted (this doesn't have to do with authentication).

I'm interacting with the web service via cURL and PHP. I've gotten an example to work locally over HTTP and I'm fairly confident I'm on the right track with regards to cURL/PHP side of things.

When using the HTTP version of the code to access a web service over HTTPS, I am getting an error code 60 "SSL certificate problem, verify that the CA cert is OK" (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

From my reading, it seems that I need a PEM file and I need to set additional cURL options such as the following:

  • CURLOPT_CAINFO
  • CURLOPT_SSLCERT
  • CURLOPT_SSLKEYPASSWD

My question is how do I know where to get the PEM file or whether I can simply make it? This is probably going to be an obvious answer as I'm sure I'm missing something but I figure I just need to ask and get the background I'm missing.

Amendment: The web service is using a certificate signed by VeriSign. So it's not a self signed certificate. Also, the web service is owned and operated by an external organization.

Thanks.


Solution

  • Despite googling around prior to asking this, it seems I've stumbled upon the answer after a bit of back-n-fourth with 'thatidiotguy' (his user name, not my name for him. ;-) ).

    cURL, out of the box, does not trust any CA (VeriSign or otherwise). This needs to be setup on your server. To "solve" the problem, you have two options. You can bypass the verification with the following command:

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    

    Note that this is not optimal with regards to security. Any certificate, signed by a CA or not, will be accepted as trusted.

    The proper fix involves getting the original certificate (in my case this means the web service) and "exporting" the certificate as a X.509 Certificate (PEM). The certificate then needs to appropriately moved to the server and the following configurations set:

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //Check that the common name exists and that it matches the host name of the server
    curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/path/to/cert/my-exported.crt"); //PEM file
    

    Source: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/