Created
June 29, 2014 06:13
-
-
Save uakfdotb/13f57153abbec9d75c00 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| //assume we are signing a certificate for user with $user_id user ID and $email email address | |
| //further assume that we require CN to be the user's email address | |
| //and that $csr is the uploaded CSR data | |
| //extract csr | |
| $csr_details = openssl_csr_get_subject($csr); | |
| if($csr_details === false || !is_array($csr_details) || !isset($csr_details['O']) || !isset($csr_details['OU']) || !isset($csr_details['CN'])) { | |
| die('Invalid CSR'); | |
| } | |
| if($csr_details['CN'] != $email) { | |
| die('CSR CN must match email'); | |
| } | |
| //validation success | |
| //first, grab next serial | |
| $result = database_query("SELECT COUNT(*) FROM certificates"); | |
| $row = $result->fetch(); | |
| $next_serial = $row[0] + 1; | |
| //sign the CSR with our CA | |
| $ca_key = array(file_get_contents('/etc/webssl/ca.key'), "YOURPASSPHRASEIFANY"); | |
| if($ca_key === false) { | |
| die('Failed to load CA key'); | |
| } | |
| $usercert = openssl_csr_sign($csr, file_get_contents('/etc/webssl/ca.crt'), $ca_key, 365, NULL, $next_serial); | |
| if($usercert === false) { | |
| die('Signing failed'); | |
| } | |
| $result = openssl_x509_export($usercert, $certout); | |
| if($result === false) { | |
| die('Exporting failed'); | |
| } | |
| database_query("INSERT INTO certificates (serial, user_id) VALUES (?, ?)", array($next_serial, $user_id)); | |
| //return $certout to the user | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment