uakfdotb

<?php

// https://lunanode.com/
/*
This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.

uakfdotb

Subject: Client-side SSL certificates

Hi all,

This is a tutorial for modifying your web application (we'll use PHP in particular) to support client-side SSL certificates, based on my own experience with doing it. I'm still learning, so do let me know if I've done anything that seems insecure or otherwise unwise.

I'm posting here since I don't know anywhere else to post it :)

First I'd like to mention these two web pages for offering a good overview.

uakfdotb

<?php

//here we assume $session is your session key-value store (replace with $_SESSION to use PHP's default; you'll need session_start at the top)
//custom_redirect should handle redirects without sending permanent redirect code

if(!isset($_SERVER['SSL_CLIENT_VERIFY']) || $_SERVER['SSL_CLIENT_VERIFY'] != 'SUCCESS') {
	die("Invalid client-side SSL certificate: invalid SSL_CLIENT_VERIFY.");
}

if(!isset($_SERVER['SSL_CLIENT_I_DN_O']) || $_SERVER['SSL_CLIENT_I_DN_O'] != 'YOUR_CA_ORGANIZATION_FIELD') {

uakfdotb

<?php

//assume we are signing a certificate for user with $user_id user ID and $email email address
//further assume that we require CN to be the user's email address
//and that $csr is the uploaded CSR data

//extract csr
$csr_details = openssl_csr_get_subject($csr);

if($csr_details === false || !is_array($csr_details) || !isset($csr_details['O']) || !isset($csr_details['OU']) || !isset($csr_details['CN'])) {