In PHP how do I get a CSR's public key?

Question

I have a web page which takes a CSR (certificate signing request) and signs them. Problem is: I dont know how to extract the public key from the CSR. I tried openssl_csr_get_public_key($request) where request is the string holding the pem encoded request, but that doesn't seem to work. Any ideas on how to do this?

Thanks!

Answer 1

Make sure that the csr is correctly formatted. Check that PHP isnt changing plusses into spaces or something of the sort.

Answer 2

I find that phpseclib's pure PHP CSR implementation is generally much more "fault tolerant". eg.

<?php
include('File/X509.php');

$x509 = new File_X509();
$csr = $x509->loadCSR('...'); // see google.crt

print_r($sr);
?>

With that you should be able to access anything from the CSR that you want!

Answer 3

You don't want to sign a public key per se, but the CSR, i.e. the signature includes metadata in the CSR that is also signed together with the public key.

The PHP command is openssl_csr_sign.

In order for this to work, you need a CSR (supplied by the client) and a CAcert file (loaded from a file on your server and passed as a string to your command). For generating the latter, look here: http://www.openssl.org/docs/apps/ca.html (official) and here (how to) http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

obviously if you are a "real" CA -- e.g. you have a certificate signed by a CA that others trust -- then you would already have a cert (signed by them).

Generally speaking, it is not good practice to sign public keys supplied by others. What you want to do is ask your client to supply the CSR metadata, and then you generate their key for them, returning both the private key and the certificate -- this can be done in a PKCS 12 format (see openssl_pkcs12_export-- the entire exchange should occur over SSL.