Search code examples
phpopensslcertificatex509

Does OpenSSL really need a path to openssl.conf?

I want to create a self-signed-certificate in PHP 5.x. with my own (alternative) openssl configuration which should be defined by my PHP code. The PHP script will run on different environments (shared hosting webservers).

The official PHP Manual says:

By default, the information in your system openssl.conf is used to initialize the request; you can specify a configuration file section by setting the config_section_section key of configargs. You can also specify an alternative openssl configuration file by setting the value of the config key to the path of the file you want to use. The following keys, if present in configargs behave as their equivalents in the openssl.conf, as listed in the table below.....

My question: Is there a reason why I have to specify the path to openssl.conf explicitly, because it seems to work fine without it:

$Configs = array(       
    'digest_alg' => 'sha1',
    'x509_extensions' => 'v3_ca',
    'req_extensions' => 'v3_req',
    'private_key_bits' => 1024,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => true,
    'encrypt_key_cipher' => OPENSSL_CIPHER_3DES
);

$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey, $Configs);
$sscert = openssl_csr_sign($csr, null, $privkey, 365, $Configs);

Edit:

In the user contributed notes on the PHP Manual, why do they always specify a path to openssl.cnf? For example:

$configargs = array(
    'config' => '/etc/ssl/openssl.cnf',
    'digest_alg' => 'md5',
    'x509_extensions' => 'v3_ca',
    'req_extensions'   => 'v3_req',
    'private_key_bits' => 666,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => false,
);
Solution

  • There are many configuration settings in OpenSSL that can't be defined in PHP by $configargs (the PHP parameters you pass to the OpenSSL functions).

    If you don't specify an alternative openssl configuration file, it will automatically take the default openssl.cnf.

    Recommendation: Since your script will run on different servers, you should always use your own openssl.cnf.

    Just create a simple text file and put the following 4 lines in it. Then pass the path to it to the OpenSSL function you are using (look at your second example above).

    distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

    It seems that these 4 lines are the minimum openssl.cnf must contain.