Tag Archives: certificate

Handle self-signed certificates with PHPs LDAP-Extension

Often I see questions on StackOverflow stating that connecting to LDAP-Servers secured with self-signed certificates is difficult and troublesome. Very often the accepted answer or the one with the most votes is actually the worst answer, as usually it requires to completely ignore certificates. So basically swapping the certificate would not be noticed, leaving the connection wide open for a Man-in-the-Middle attack and therefore somehow defeating the purpose of secure connections.

But how does one connect securely to an LDAP-Server secured with a self-signed certificate?

I did some tests and summarized my findings in a github-repo.

In essence it boils down to retrieving the current certificate either from the admin of the LDAP-Server or via OpenSSL using this command:

$ echo \
| openssl s_client -connect openldap:636 2> /dev/null \
| openssl x509 -text \
| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' \
> /path/to/cert.pem

And then – at least when you have a supported PHP-Version – add the following lines to your ldap-code:

ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/path/to');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/path/to/cert.pem');

// either
$ldap = ldap_connect('ldaps://ldap.example.org:636');
// or
$ldap = ldap_connect('ldap://ldap.example.org:389');
ldap_start_tls($ldap);

Note: It’s important to call ldap_set_option before the first LDAP-Command and use null as the first argument. Otherwise it will not work 😉

You want more info? Have a look at the Repos README

Create signed PDF-Files

Some days ago a friend of mine asked me how to create PDF-Receipts. Background is that – at least in Germany – you can replace printed receipts with digitally signed PDF-Files. The signature has to comply to certain legal standards to be able to replace the printed copy but the way is the same whether it’s a self-signed certificate or an official one.

For the start I wanted to see how to sign a PDF-Document created with TCPDF. At a later time I will also have a look at how to sign a PDF-File using the libraries supported by PDFlib.com.

Signing PDF-files with TCPDF requires you to have the private key and the certificate available via a stream-ressource. That excludes certificates and keys on a signature-card as long as you can not export them.

Creating a signed PDF-File using TCPDF is rather simple as you can see in this code-snippet:

$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);

// set certificate file
$certificate = 'file://' . __DIR__ . '/cert/certificate.crt';
$privateKey = 'file://' . __DIR__ . '/cert/privateKey.crt';
// set document signature
$pdf->setSignature($certificate, $privateKey, 'test1234', '', 1, array());

// Do some more stuff here like creating the actual PDF-File

//Close and output PDF document
$pdf->output('test.pdf', 'D');

That’s it.

The hard part now is for one thing creating the actual PDF-File.
And the more important one question was “Which certificate-key-thingy goes where”.

That was the one that took me most of the time. When using a self-signed certificate as described in the TCPDF-Example you can somehow use the given openSSL shell-lines to get somehow to a result. But I wanted to sign the document with a “qualified electonical signature” which takes some more steps.

What is a qualified electronical signature? It’S nothing else than any other digital signature from a certification authority. The only difference is, that it has been issued according to the german “Signaturgesetz” which means, that it is based on a qualified certificate and has been created using a certain approved PKI. As I am not a lawyer, this is simply my own description of a legal process which might be inaccurate or plain false. So do not take my word as legally authoritative. A list of issuers for qualified electronical signatures can be found at http://www.nrca-ds.de/ZDAliste.htm

As I do not posses such a qualified electronical signature (and there currently is no need for me to get one) I tried the whole stuff with a certificate I got myself from CA-Cert. As far as I know (but I will verify that one soon) you can export a qualified electronic signature into a format that can be used for these purposes.

The relevant parts are the following variables

$certificate
needs to point to a certificate file in PEM-Format. Thats a plaintext-file with —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and some base64 encoded stuff in between.
$privateKey
needs to point to a private key file in binary PKCS7-Format. Those files normally end in something like ‘.p12’ or ‘.pfx’. To open this file you normally need a passphrase which you have to provide as third parameter to $pdf->setSignature.

Using that certificate and private key you can now sign your PDF-file.