curl/openssl configuration for php under windows.

CA root certificate configuration for openssl & curl when via php on windows. curl is used by wordpress, and openssl is used by whmcs.

this is how to enable CA root cert bundles for openssl & curl for php on windows. i used web platform installer to install php version 5.6.24 & 7.0.9.

note, the openssl.cafile parameter in php.ini is only for php version 5.6 and above.

the default folder for 5.6.24 is C:\Program Files (x86)\PHP\v5.6.

1. make sure openssl is enabled as an extension. you can check it using php manager under iis manager under extensions.

2. download this file – https://curl.haxx.se/ca/cacert.pem and save it to C:\Program Files (x86)\PHP\v5.6\data\libcurl\

3. open php.ini (try using php manager in iis manager).

add the following to php.ini and then save it. iisreset your server.


[curl]
curl.cainfo="C:\Program Files (x86)\PHP\v5.6\data\libcurl\cacert.pem"
openssl.cafile = "C:\Program Files (x86)\PHP\v5.6\data\libcurl\cacert.pem"


4. check php is using the correct location for the cafile parameter.

you can use this php snippet to print out the configuration that openssl will be using.

<?php
var_dump(openssl_get_cert_locations());
?>

if it is correct output will look like the following:

array(8) { ["default_cert_file"]=> string(25) "c:/usr/local/ssl/cert.pem" ["default_cert_file_env"]=> string(13) "SSL_CERT_FILE" ["default_cert_dir"]=> string(22) "c:/usr/local/ssl/certs" ["default_cert_dir_env"]=> string(12) "SSL_CERT_DIR" ["default_private_dir"]=> string(24) "c:/usr/local/ssl/private" ["default_default_cert_area"]=> string(16) "c:/usr/local/ssl" ["ini_cafile"]=> string(55) "C:\Program Files (x86)\PHP\v5.6\data\libcurl\cacert.pem" ["ini_capath"]=> string(0) "" }


5. test with OpenSSL_HTTPS_fopen_with_CA.php

<?php # OpenSSL_HTTPS_fopen_with_CA.php
#- Copyright (c) 2011, HerongYang.com, All Rights Reserved.
#

$url = 'https://www.google.com';
$context = stream_context_create(array('ssl' => array('verify_peer' => true)
));

#var_dump(openssl_get_cert_locations());

$handle = fopen($url, 'r', false, $context);
while ( ($line = fgets($handle)) !== false) {
  echo "$line\n";
}
?>

if the website looks like google, it’s working.

with credit to herongyang. taken from http://www.herongyang.com/PKI/HTTPS-PHP-Test-OpenSSL-with-fopen.html and extended with the instructions on how to add the root CA bundle.