开发者

How does one install ssl certificates programatically (OpenSSL)

I have an application which I am working on for a client which in summary allows each of their clients to create their own own version of the application by customizing the templates and associate their own domain name (all the code is located on my clients server).

The problem I am faced with is that when such users create their own branded version with their own domain name and then want to login to their admin the system can't provide https authentication.

I am aware that one can create a self signed cert开发者_运维问答ificate and I "think" there is a fairly simple way of doing this programatically, BUT if I want to give users the ability to purchase their own CA signed certificate then how could this be accomplished?

I have spent a few hours trying to find the answer to this question online but can't seem to find a solution to this perplexing problem.

What I think I need is some simple code which allow the user to fill out the required form field which in turn creates the CSR file which in turn the user would provide to the CA to obtain his CA file and for which some code would need to allow the user to upload it... Which in turn would automatically install it and redraft the needed web services.

Any/all help and guidance would greatly be appreciated!


How you would go about this depends on your architecture. But here are a couple things to consider:

  1. Most SSL configurations operate on a unique IP address. So that means each SSL certificate you add would require another IP address. You may be able to centralize that configuration if you use a load balancer for example. Whether or not you can do that programmatically depends on your load balancer.
  2. You will be best off generating the CSR based on your private key. Otherwise you will have to allow users to upload both a private key and certificate (and sometimes chain file).


Usually, dealing with the server certificate is done by a system administrator, so few tools will be user-friendly for people with no such knowledge.

You could create a PHP webpage that creates a private key and CSR (see openssl_csr_new examples) and lets the user copy the CSR in PEM format (and the private key for later use). Some CAs will let you paste such a CSR into their form, when requesting the certificate. Once the user gets the certificate (and perhaps the chain from the CA), they'd need to configure the server to use it (along with the private key). Tools like Webmin can let you do this from a web browser (you may want to implement something similar to what Webmin does for this, if you don't want to deploy a full web-based administration interface).

If the task of requesting the certificate is your client's responsibility (which it should really be if it's their server), they will need to be trained a little to know what to do, since the procedure will inevitably vary slightly depending on the CA they choose.

Needless to say that, if you implement scripts that can let the user change certificates and private keys, appropriate authentication and authorization should be used to perform these operations.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜