If you've ever tried connecting to a remove service or server using SSL from your server side cURL or PHP script running on a Windows Server, you may very well have encountered the condition that SSL certificate of the remote server cannot be verified.
The problem occurs when you are trying to contact an SSL/TLS secured connection (and have the
CURLOPT_SSL_VERIFY_PEER curl option set to true).
The error looks like this:
error:14090086 SSL routines:SSL3_GET_SERVER_CERTIFICATE certificate verify failed
or may simply return error
Well, the problem has a very simple solution. CURL cannot talk directly to the Windows certificate repository, so you have to give it a file to validate the Trusted Root Certificate Authority against.
There are several options for obtaining a CA certificate bundle:
- Download one (not entirely recommended but this is the easiest option);
- Export from a trusted provider (e.g. Mozilla);
- Export from your Windows CA store;
Download From the Net
To simply download the current pem file, go here:
and download the
cacert.pem file. (http://curl.haxx.se/ca/cacert.pem)
not that you should trust any source on the internet for guaranteeing the validity of these CA bundles or the security of your server, but I've verified (at least once) that this file is indeed the CA certificate list exported from Mozilla as supplied in the Firefox Browser.
However, if you don't want to trust some random website fro the file, you can...
Get the Mozilla list
The conversion script mk-ca-bundle:
Convert from your local Firefox installation (linux):
You can also extract the CA certificate list from your local Firefox installation, if you have the certutil tool installed. You just need to run the firefox-db2pem.sh script (yes, this is a BASH script so you need to be Linux to get this to run).
Export from Windows
Follow these steps to export your Trusted Root Certificate Authority CA certs:
- From the windows start menu, run the command "mmc.exe" to launch the Microsoft Management Console;
- From the MMC, choose "File" ? "Add/Remove Snap-in..." from the main menu;
- Add the Certificates snap-in; When asked which certificates you want to manage, select Computer Account and Local computer;
- From the console root, navigate to "Certificates (Local Computer)" > "Trusted Root Certification Authorities" > "Certificates";
- Select all of the certificates (
A) and select "Action" > "All tasks" > "Export..." from the MMC main menu;
- Follow the wizard to export the certificate(s) to the Cryptographic Message Syntax Standard - PKCS#7 (.pb7 file) to a file called
- Open a command prompt (
cmd.exe) and navigate to the folder containing the PB7 file you just created;
- Run openSSL.exe (you may need to add the path to this program to the Windows PATH environment variable) to convert the file to text using the following command:
c:\php\extras\openssl\openssl.exe pkcs7 -inform DER -in TrustedRootCAs.pb7 -print_certs -text > TrustedRootCAs.certs
Then, in your PHP application for example, add the following line BEFORE you call
curl_setopt ($ch, CURLOPT_CAINFO, 'C:\PHP\extras\openssl\TrustedRootCAs.certs')
If you're using cURL, just rename the file to
curl-ca-bundle.crt and pop it into the same folder as your
curl.exe and it should detect it automatically.
That's about all you should need to get things rolling.
Remember, you don't necessarily have to export all of the CA's. In the case of Yubikey, the authentication API server uses a certificate issued by GoDaddy, so you only need export that single on if you prefer not to have to keep this file updated every time ROOT CA certificates are updated by the various providers.