stayallive / certificate-chain-resolver
Certificate chain resolver.
Fund package maintenance!
stayallive
Requires
- php: ^8.0
- phpseclib/phpseclib: ^3.0.13
Requires (Dev)
- friendsofphp/php-cs-fixer: 3.6.*
- phpstan/phpstan: ^1.4
- phpunit/phpunit: ^9.3
This package is auto-updated.
Last update: 2024-12-04 13:23:38 UTC
README
Resolve a certificate chain with a simple to use interface.
A hosted version using this package can be found here: chief.tools/certificate-chain-resolver.
Installation
composer require stayallive/certificate-chain-resolver
Usage
You can use Resolver::fetchForCertificate
to retrieve the full PEM encoded chain as a string.
$output = \Stayallive\CertificateChain\Resolver::fetchForCertificate( \Stayallive\CertificateChain\Certificate::loadFromPathOrUrl('path/to/certificate.pem') );
You can use Certificate::loadFromPathOrUrl
to retrieve a Certificate
instance you need for constructing a Resolver
instance.
The certificate is fetched using file_get_contents
so any path or URL that is supported by file_get_contents
should work.
The Certificate
can be in multiple formats and encodings, currently supported: PEM, DER and PKCS7, they are all normalized to PEM encoding.
If you need the chain without the original certificate or want to get an array of Certificate
instances representing the chain you can use the Resolver
class directly:
$chain = new \Stayallive\CertificateChain\Resolver( \Stayallive\CertificateChain\Certificate::loadFromPathOrUrl('path/to/certificate.pem') ); $chain->getContents(); // Same as `Resolver::fetchForCertificate`, returns a string $chain->getCertificates(); // Array of certificates in the chain, returns an array // Versions that do not include the certificate that was used to construct the `Resolver` with $chain->getContentsWithoutOriginal(); $chain->getCertificatesWithoutOriginal();
There are 2 possible exceptions that are thrown while retrieving the certificate or it's chain, they both extend ResolverException
:
CouldNotLoadCertificate
- this indicates fetching the certificate from an URL or path failedCouldNotParseCertificate
- this indicates parsing the fetched certificate failed because it's invalid or it's encoding is unsupported
Background: the trust chain
All operating systems contain a set of default trusted root certificates. But Certificate Authorities usually don't use their root certificate to sign customer certificates. Instead of they use so called intermediate certificates, because they can be rotated more frequently.
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. This is the exact meaning of the Extra download message. But some clients, mostly mobile browsers, don't support this extension, so they report such certificate as untrusted.
This results in 'untrusted'-warnings since the browser thinks you are on an insecure connection.
A server should always send a complete chain, which means concatenated all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. So when installing a SSL certificate on a server you should install all intermediate certificates as well. You should be able to fetch intermediate certificates from the issuer and concat them together by yourself.
This package helps you automatize that boring task by looping over certificate's AIA extension field and returning the full chain to you.
Credits
This package was originally created as a fork of ssl-certificate-chain-resolver written by Spatie which was inspired by cert-chain-resolver written by Jan Žák. Some text, mainly the background about the trust chain, was copied from the readme of his repo.
Security Vulnerabilities
If you discover a security vulnerability within this package, please send an e-mail to Alex Bouma at alex+security@bouma.me
. All security vulnerabilities will be swiftly
addressed.
License
This package is open-sourced software licensed under the MIT license.