PHP and X.509 authentication - Checking certificate issuer

I'm trying to have a specific page on my site only accessible to people after X.509 authentication. Catch is, I want it to be available to all clients who have a matching certificate issued by a specific Intermediate CA (I intend to have a few Intermediate CAs underneath a self-generated Root CA, but only a cli开发者_StackOverflow社区ent certificate issued by one specific Intermediate CA can access this page). Is this possible using PHP?

Let me know if I need to elaborate further, and I'll try and add more detail. Thanks for your help!

TC

Yes. When you get the cert information using the SSL extension and the openssl_x509_parse function, you'll get access to all the information in the cert. You should be able to do this in your php script:

var_dump(openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']));

You should see in that array that there's an 'issuer' key with an array containing information about the client cert issuer, and I'm going to assume that gets you the information you need.

if you didn't want to use OpenSSL you could use the latest SVN of phpseclib, a pure PHP X.509 parser. eg.

<?php
include('File/X509.php');

$x509 = new File_X509();
$x509->loadX509($_SERVER['SSL_CLIENT_CERT']);
echo $x509->getIssuerDN(true);
?>