問(wèn)題描述

我正在嘗試創(chuàng)建一個(gè)到具有自簽名證書(shū)的 .NET Web 服務(wù)的 PHP SOAP 連接，以便鎖定該服務(wù)以通過(guò) HTTPS 進(jìn)行通信.我繼續(xù)遇到錯(cuò)誤，我不確定它是否與我創(chuàng)建證書(shū)的方式、我的 Apache/PHP 設(shè)置、我嘗試建立 SOAP 請(qǐng)求的方式或其他方式有關(guān).如果有人有任何指示，他們將不勝感激.提前致謝.

I am attempting to create a PHP SOAP connection to a .NET Web Service that has a self-signed certificate in order to lock down the service for communication over HTTPS. I continue to get error's and I'm not sure if it has something to do with the way I create the certificate, my Apache/PHP setup, the way I attempt to establish the SOAP request or something else. If anyone has any pointers they will be greatly appreciated. Thanks in advance.

這就是我創(chuàng)建證書(shū)的方式.

This is how I am creating the certificate.

1. 創(chuàng)建受信任的根私鑰:

1. Create the trusted root private key:

genrsa -out ca_authority_prv.pem 2048

genrsa -out ca_authority_prv.pem 2048

IIS 設(shè)置

創(chuàng)建此證書(shū)后，我對(duì)服務(wù)器證書(shū)執(zhí)行相同的步驟，并且:

IIS Setup

Once this certificate is created I follow the same steps for a server certificate and:

1. 將受信任的根 CA 添加到機(jī)器受信任的根存儲(chǔ)

1. Add the trusted root CA to the Machine Trusted Root Store

將服務(wù)器證書(shū)添加到機(jī)器存儲(chǔ)區(qū)

Add the server certificate to the machine store

設(shè)置 IIS 以使用服務(wù)器證書(shū)并需要客戶端證書(shū)

Setup IIS to use the server certificate and require client certificates

PHP SOAP 請(qǐng)求

這是我用來(lái)建立 PHP SOAP 請(qǐng)求的代碼(以下是錯(cuò)誤):

PHP SOAP Request

This is the code I am using to establish the PHP SOAP request (below is the error):

$wsdl = "https://localhost/MyService/MyService.asmx";
$local_cert = "C:\Certsclient_cert.pem";
$passphrase = "openSaysMe";

    $soapClient = new SoapClient($wsdl, array('local_cert'=>  $local_cert,'passphrase'=>$passphrase));
    $theResponse = $soapClient->test();

錯(cuò)誤

Warning: SoapClient::SoapClient() [soapclient.soapclient]: Unable to set private key file `C:Certsclient_cert.pem' in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: failed to create an SSL handle in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: Failed to enable crypto in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53

Warning: SoapClient::SoapClient(https://localhost/MyService/MyService.asmx) [soapclient.soapclient]: failed to open stream: operation failed in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53

Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "https://localhost/MyService/MyService.asmx" in C:Program FilesApache GroupApache2htdocssoapWithAuth.php on line 53
Error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://localhost/MyService/MyService.asmx'

錯(cuò)誤日志

PHP Warning:  SoapClient::SoapClient() [<a href='soapclient.soapclient'>soapclient.soapclient</a>]: failed to create an SSL handle in C:\Program Files\Apache Group\Apache2\htdocs\soapWithAuth.php on line 54

推薦答案

我設(shè)法讓它工作了，但我想知道一些奇怪的地方.特別是需要將客戶端證書(shū)和私鑰組合到一個(gè)文件中以與 Soap 請(qǐng)求以及證書(shū)密碼短語(yǔ)一起發(fā)送，這破壞了請(qǐng)求，盡管 PHP Soap 文檔明確將其作為一個(gè)選項(xiàng)包含在內(nèi).如果有人對(duì)如何改進(jìn)這一點(diǎn)有意見(jiàn)，我很樂(lè)意聽(tīng)到.

I managed to get this working but there are some oddities that I wonder about. Specifically the need to combine the client certificate and private key into a single file to send along with the Soap Request as well as the certificate pass-phrase was breaking the request although the PHP Soap documentation explicitly includes it as an option. If anyone has input on how to improve this I would love to hear it.

1) 創(chuàng)建 OpenSsl 客戶端和服務(wù)器證書(shū)，并使用證書(shū)頒發(fā)機(jī)構(gòu)對(duì)其進(jìn)行簽名.創(chuàng)建證書(shū)時(shí)不要為它們分配密碼，只需在此時(shí)按下 Enter 按鈕即可.

1) Create the OpenSsl client and server certificates and sign them with the certificate authority. When creating the certificate do not assign a passphrase to them, just hit the enter button at that point.

2) 將服務(wù)器證書(shū)頒發(fā)機(jī)構(gòu)文件導(dǎo)入受信任根下的 Machine 證書(shū)庫(kù).您可以通過(guò)在命令提示符下使用 MMC 命令然后添加證書(shū)管理單元來(lái)實(shí)現(xiàn)這一點(diǎn).

2) Import the server certificate authority file into the Machine certificate store under the trusted root. You can get to this by using the MMC command at the command prompt and then adding the Certificates snap in.

3) 將服務(wù)器證書(shū)導(dǎo)入到機(jī)器存儲(chǔ)個(gè)人證書(shū)存儲(chǔ)中

3) Import the Server certificate into the Machine store Personal certificate store

4) 在本地賬戶個(gè)人存儲(chǔ)中導(dǎo)入客戶端證書(shū).您可以通過(guò)在命令提示符下鍵入 certmgr.msc 來(lái)執(zhí)行此操作.

4) Import the client certificate in the local account Personal store. You can do this by typing certmgr.msc at the command prompt.

5) 確保運(yùn)行帶有 SSL 版本的 PHP 的 Apache.如果您已經(jīng)安裝了非 php 版本的 PHP，則可以按照以下步驟將 Apache 服務(wù)器配置為使用 SSL 運(yùn)行.

5) Make sure to have Apache with a SSL version of PHP running. If you already had a non-php version of PHP installed you can follow these steps to configure your Apache server to run using SSL.

內(nèi)部httpd.conff

a) Remove the comment ‘#’ at line : LoadModule ssl_module modules/mod_ssl.so

b) Remove the comment ‘#’ at the line inside `<IfModule ssl_module>`:  Include /extra/httpd-ssl.conf

   and move this line after the block `<IfModule ssl_module>…. </IfModule>`  

在php.ini

c) Remove the comment ‘;’ at the line which says: extension=php_openssl.dll

6) 使用以下步驟配置 IIS 以使用證書(shū)和 SSL:

6) Configure IIS to use a certificate and SSL using the following steps:

a) Right click the 'Default Website' node choose 'Properties'

b) 'Directory Security' tab 'Server Certificate' button. Follow the wizard to select the certificate you imported into the store then complete the wizard and return to the 'Directory Security' tab.

c) Under 'Secure Communications' select the 'Edit' button. 

d) Check the 'Require Secure Channel (SSL) checkbox.

7) 創(chuàng)建 PHP SOAP 請(qǐng)求(test() 方法應(yīng)該是您的 Web 服務(wù)中的有效方法):

7) Creating the PHP SOAP request (the test() method should be a valid method in your Web service):

$wsdl = "https://localhost/MyService/myservices.asmx?wsdl";
$local_cert = "C:\SoapCertsClientKeyAndCer.pem";

$soapClient = new SoapClient($wsdl, array('local_cert' => $local_cert));

$theResponse = $soapClient->test();

8) 將此文件放入您的 Apache 目錄中.默認(rèn):'C:Program FilesApache GroupApache2htdocs'

8) Place this file into your Apache directory. By Default: 'C:Program FilesApache GroupApache2htdocs'

9) 您將需要訪問(wèn)客戶端證書(shū).在您生成客戶端和服務(wù)器證書(shū)的步驟中，您還生成了私鑰文件.打開(kāi) client_prv.pem(客戶端私鑰文件)并使用文本編輯器將內(nèi)容復(fù)制到新文檔中.使用像 Textpad 這樣的東西可能更安全，它希望不會(huì)添加一堆特殊字符，證書(shū)解析器非常挑剔.在私鑰部分之后立即放置客戶端證書(shū)(client_cer.pem)的內(nèi)容，以便生成的文件是客戶端私鑰和客戶端的未轉(zhuǎn)義副本

9) You will need access to the client certificate. In the steps you took to produce the client and server certificates you also produced the private key files. Open the client_prv.pem (the client private key file) and copy the contents into a new document with a text editor. It is probably safer to use something like Textpad that will hopefully not add a bunch of special characters, certificate parsers are very picky. Immediately after the private key part place the contents of the client certificate (client_cer.pem) so that the resulting file is an un-escaped copy of the client private key and client

證書(shū).將生成的文件保存到您可以從 php 文件訪問(wèn)的目錄中.在上面的例子中，結(jié)果文件是

certificate. Save the resulting file to a directory you can get to from the php file. In the example above the resulting file is the

'C:SoapCertsClientKeyAndCer.pem' 文件.

'C:SoapCertsClientKeyAndCer.pem' file.

9) 導(dǎo)航到 localhost/nameOfYourFile.php.您應(yīng)該會(huì)看到與服務(wù)的成功連接，其響應(yīng)與您的

9) Navigate to localhost/nameOfYourFile.php. You should see a successful connection to the service with a response matching the expected results from your

Web 服務(wù)方法.

這篇關(guān)于使用證書(shū)創(chuàng)建 PHP SOAP 請(qǐng)求的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！