How to Set Curlopt_Cainfo Globally for PHP

in php, what will happen if CURLOPT_CAPATH is not set when CURLOPT_SSL_VERIFYPEER is set to true

From the documentation:

CURLOPT_CAINFO

This option is by default set to the system path where 
libcurl's cacert bundle is assumed to be stored, as 
established at build time.

So, if your system stores the cacert bundle in the default location, which is likely /etc/ssl/certs/, then it should find it.

How can I add multiple ssl certificates to curl.cainfo in php.ini?

The underlying CURLOPT_CAINFO option in libcurl only supports a single file name, and PHP/CURL merely passes on that string to libcurl. So no, you cannot pass more than one file name. You can however concatenate all those files into a single one, and point to that.

What exactly goes into CURLOPT_CAINFO/CAPATH?

The keyUsage line under [ext] must include keyCertSign, like this:

keyUsage=digitalSignature,keyEncipherment,keyCertSign

Otherwise, it's not a CA cert as far as OpenSSL is concerned.

OBTW, the basicConstraints=CA:true line under [ext], suggested by Steffen, is not necessary, I've checked. At least with CURL 7.52.1 and OpenSSL 1.0.2r it's not.

In the client code, CURLOPT_CAPATH is not necessary, either. CURL supports two alternative ways of specifying the root CA cert bundle. CURLOPT_CAINFO makes CURL read and parse a single file, potentially with multiple certificates in it. CURLOPT_CAPATH makes CURL scan a directory with certificate files identified by their serial numbers - or symlinks to those, as generated by c_rehash. Since in my scenario the effective root CA cert bundle has exactly one cert, the one file approach is sufficient.

Doesn't work under Windows, at least with command line CURL 7.55.1. The Windows version of CURL uses the built-in Schannel library for its SSL implementation, and ignores the --cacert option, instead relying on Windows' built-in trusted CA store. See here.

It might be possible to rebuild CURL for Windows against a different SSL implementation, but the trouble is hardly worth it. Windows comes with its own fleet of HTTP(S) clients.

Can't Get PHP cURL SSL To Work

The answer to this problem is that the root certificate displayed for https://www.google.com in IE11, "GeoTrust Global CA," is cross-rooted to an older GeoTrust root certificate named "Equifax Secure Certificate Authority." When the "GeoTrust Global CA" certificate that displays as the root in the 3-certificate chain showing in my IE11 is used by my PHP script as the root certificate for https://www.google.com my PHP script can't authenticate https://www.google.com's certificate BECAUSETHE REAL ROOT CERTIFICATE FOR https://www.google.com ISN'T THE "GeoTrust Global CA" CERTIFICATE BUT THE GeoTrust "Equifax Secure Certificate Authority" certificate. Once I figured this out, I used the "Equifax Secure Certificate Authority" in my PHP .PEM file and I successfully validated the https://www.google.com certificate.

You can see how the cross-rooting takes place by doing the following (I used IE11 for this):

1. Open a BLANK https://www.google.com Web page
2. Click the padlock icon in the URL window, then click "View certificates."
3. The Certificates window for https://www.google.com appears. Click the Certification Path tab. The certificate chain of three certificates will be displayed. The "GeoTrust Global CA" certificate shows as the root certificate - BUT THAT'S NOT TRUE.
4. Close the Certificate window. In the "Run" box in the Start Menu (I'm using Windows 7) type "certmgr.msc" and click the "OK" button. This will launch Windows' Certificate Manager.
5. Click the "Trusted Root Certification Authorities" entry in the left pane, then click "Certificates."
6. In the right pane, locate the "GeoTrust Global CA" certiticate. Double-click this entry to open it's certificate window.
7. Click the "Details" tab, then click the "Edit properties" button. NOTE THAT "Server Authentication," "Client Authentication," "Code Signing," "Secure Email," and "Time Stamping" are selected.
8. Click the "Disable all purposes for this certificate" button. THIS WILL DISABLE THIS CERTIFICATE FROM USE. NOTE ON THE "General" TAB THAT THE EXPIRATION DATE FOR THIS CERTIFICATE IS 5/20/2022 AND THE "Issued to:" and "Issued by:" ITEMS ARE BOTH SIGNED "GeoTrust Global CA," INDICATING THAT THIS IS A ROOT CERTIFICATE. Click the "OK" button to return to the Windows Certificate Manager. Minimize the Certificate Manager.
9. Move to your blank https://www.google.com Web page. Refresh the page, then view the certificates. NOW YOU WILL SEE FOUR CERTIFICATES, INSTEAD OF THE THREE THAT WERE DISPLAYED IN SETP #3!!
10. WHAT HAPPENED? Double-click the "GeoTrust Global CA" certificate. Look at the expiration date on the "General" tab. It's 8/20/2018, NOT THE 5/20/2022 displayed for the "GeoTrust Global CA" certificate in Step #3. Also look at the "Issued to:" and "Issued by:" items - THEY ARE DIFFERENT. The "Issued to:" is "GeoTrust Global CA" and the "Issued by" is "Equifax Secure Certificate Authority." THIS IS A DIFFERENT "GeoTrust Global CA" CERTIFICATE THAT THE ONE DISPLAYED IN STEP #3!! This version of the "GeoTrust Global CA" certificate is cross-rooted to "Equifax Security Certificate Authority" as evidenced in the "Issued by:" item!!
11. Double click the "GeoTrust" root certificate. Notice that this is a self-signed root certificate issued by "Equifax Secure Certificate Authority." THIS IS THE REAL ROOT CERTIFICATE USED BY https://www.google.com!! When I copied this certificate into my PHP .PEM file and used it to validate https://www.google.com's certificate everything work perfectly!!
12. Go back to the Windows Certificate Manager and reverse the disablement you performed in Steps 5 - 8. Click the "Enable only the following purposes" button and re-check the purposes listed in Step #7. This will restore your "GeoTrust Global CA" certificate dated 5/20/2022 to functioning status.

There's a link on the GeoTrust Website that describes the "GeoTrust Global CA" cross-root certificate that appeared in Step #9. You can download it as well. However, for my application the cross-root certificate didn't validate https://www.google.com's certificate - I NEEDED TO USE THE "GeoTrust" ROOT CERTIFICATE BECAUSE IT IS THE ONLY ONE THAT WORKS TO VALIDATE https://www.google.com. Here's the link:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426

You can also download the equivalent of the "GeoTrust" certificate from the GeoTrust Website. It's listed as the "Equifax Secure Certificate Authority" in the Resources > Root Certificates section of the Website. Here's the link:

https://www.geotrust.com/resources/root-certificates/

You can also find more details about the certificate chain for any Web page by visiting the following Symantec Web page:

https://cryptoreport.websecurity.symantec.com

I hope this helps you PHP developers who need to validate an HTTPS connection with Google.com. DREW010 - Thanks for hanging with me through this! I appreciate your help.

---

Related Topics