That php curl man page points to a curl page, which says the ssl document is online. When I go there it says:
=====
http://curl.haxx.se/docs/sslcerts.html
...
If the remote server uses a self-signed certificate, or if you don't install curl's CA cert bundle or if it uses a certificate signed by
a CA that isn't included in the bundle, then you need to do one of
the following:
1. Tell libcurl to *not* verify the peer. With libcurl you disable
with withcurl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
With the curl command tool, you disable this with -k/--insecure.
2. Get a CA certificate that can verify the remote server and use the
proper option to point out this CA cert for verification when
connecting. For libcurl hackers:curl_easy_setopt(curl, CURLOPT_CAPATH, capath);
With the curl command tool: --cacert [file]
=====
SO, I would look through your code for something like CURLOPT_CAPATH either explicitly or implicitly, to see if the way it worked before was adding NetLedger's root with some set option, either in code or in environment file or php.ini or whatever.
Another possibility is that the person who set up the working configuration added NetLedger's root to "curl's CA cert bundle" (wherever THAT lives).
=====
So, I expect that the two certs you were given by NetLedger were a root cert and a client cert.
1. Certs are kept in one of two formats, called DER and PEM
2. A PEM cert is a readable ASCII file with a header and trailer and included information encoded in base64. Like this:
-----BEGIN CERTIFICATE----- MIIFbTCCBFWgAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwgdMxCzAJBgNVBAYTAlVT MREwDwYDVQQIEwhNYXJ5bGFuZDEfMB0GA1UEChMWVW5pdmVyc2l0eSBvZiBNYXJ5 ...chopped out a bunch of stuff here -zben... e96jJ/Ok+qqlysssHXs6WtmUjz8voo7f1lvvKLNOdmPD1GqPNMJeJKm7U2IGVF4v y86WfZl9dlScoiCbsgAxcJmsbH+pt9l59dyq9VkAj9UHv3yIsNi2NCr51NL6ZT1W pw== -----END CERTIFICATE-----
This can be decoded using the OpenSSL command:
openssl x509 -noout -text -in <filename>
Note: do NOT put a dash on the x509 command.
3. A DER cert is a binary file with roughly the same information. The default for OpenSSL is PEM so if you have a DER object you need to add the -inform der option:
openssl x509 -noout -text -inform der -in <filename>
4. There are three kinds of certificates called root, intermediate, and end-user.
5. A root certificate is self-signed, that is, the subject and issuer are exactly the same DN. Typically they also contain a Basic Constraints extension saying CA:true like this:
% openssl x509 -noout -text -in root.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Maryland, O=University of Maryland,
OU=College Park Campus,
CN=Root Certificate Authority v1,
DC=umd, DC=edu/[EMAIL PROTECTED]
Validity
Not Before: Feb 24 16:22:45 2003 GMT
Not After : Feb 24 16:22:45 2007 GMT
Subject: C=US, ST=Maryland, O=University of Maryland,
OU=College Park Campus,
CN=Root Certificate Authority v1,
DC=umd, DC=edu/[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a8:f7:ae:01:9b:84:b3:58:07:50:e3:80:4e:c6:
...chopped out stuff here -zben...
X509v3 extensions:
...chopped out stuff here -zben...
X509v3 Basic Constraints: critical
CA:TRUE6. An end-user certificate names a person or a machine in its subject DN. Typically it has a BasicConstraints of CA:false
% openssl x509 -noout -text -in server.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1013 (0x3f5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Maryland, O=University of Maryland,
OU=College Park Campus,
CN=UMCP SSL Server Authority v1,
DC=umd, DC=edu/[EMAIL PROTECTED]
Validity
Not Before: Apr 15 14:38:37 2003 GMT
Not After : May 19 14:38:37 2004 GMT
Subject: C=US, ST=Maryland, O=University of Maryland,
OU=College Park Campus,
CN=cert.umd.edu,
DC=umd, DC=edu/[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d1:52:fc:16:eb:e0:f5:49:ed:56:ac:e7:62:b5:
...chopped out stuff here -zben...
X509v3 extensions:
...chopped out stuff here -zben...
X509v3 Basic Constraints: critical
CA:FALSENote this is acceptable for SSL contact to a machine called cert.umd.edu -- that is, it is an end-user certificate for the server side of a client-server connection.
7. An intermediate certificate is not self signed but is a CA. You might not have one of these, depends on the setup.
Based on this, can you verify that you have one root certificate and one end-user certificate?
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
