Identifying the OpenSSL Extension Failure
Developers utilizing the PHP OpenSSL extension on Windows platfroms often encounter runtime failures when attempting to generate Certificate Signing Requests (CSRs) or export X.509 certificates. These exceptions typically manifest as follows:
openssl_csr_sign(): cannot get CSR from parameter 1 in
openssl_x509_export(): cannot get cert from parameter 1 in
openssl_pkcs12_export(): cannot get cert from parameter 1 in
The underlying cause for these errors is usually the inability of the PHP OpenSSL module too locate its associated configuration file.
Verifying the Configuration Path
To confirm the expected file path, inspect your environment setup by calling phpinfo(). Navigate through the loaded modules until you find the OpenSSL section. Look specifically for the directive labeled Openssl default config.
If the file referenced in this field does not exist, the cryptographic functions will fail.
Creating the Configuration File
You must manually ensure the directory structure exists and generate the configuration file at the identified location. Folllow these steps:
- Create the necessary folders (e.g.,
C:\usr\local\ssl\) if they are missing. - Generate a file named
openssl.cnfwithin that directory. - Populate the file with a standard OpenSSL configuration template suitable for signing operations.
Standard Configuration Template
Below is a functional configuration template. Copy the content below into your openssl.cnf file. This setup ensures providers are loaded correctly and defines policies for request signatures.
# =============================================================================
# Basic OpenSSL Configuration for PHP on Windows
# =============================================================================
HOME = .
config_diagnostics = 1
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
[default_sect]
activate = 1
[ca]
default_ca = CA_default
[CA_default]
dir = ./demoCA
certs = $dir/certs
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
private_key = $dir/private/cakey.pem
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365
policy = policy_match
[policy_match]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
[usr_cert]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
After saving the configuration file, restart your web server or PHP-FPM service to apply the changes. This procedure is also applicable for resolving similar path resolution issues on Linux-based systems.