If you’ve ever tried connecting to a remove service or server using SSL from your server side PHP script running on a Windows Server, you may very well have encountered the condition that SSL certificate of the remote server cannot be verified. THe problem occurs when you have the CURLOPT_SSL_VERIFY_PEER curl option set to true.

The error looks like this:

 error:14090086
 SSL routines:SSL3_GET_SERVER_CERTIFICATE
 certificate verify failed

Well, the problem has a very simple solution. CURL cannot talk directly to the Windows certificate repository, so you have to give it a file to validate the Trusted Root Certificate Authority against.

Follow these steps to export your Trusted Root Certificate Authority CA certs:

1. From the windows start menu, run the command “mmc.exe” to launch the Microsoft Management Console;
2. From the MMC, choose “File” > “Add/Remove Snap-in…” from the main menu;
3. Add the “Certificates” snap-in; When asked which certificates you want to manage, select “Computer Account” and “Local computer“;
4. from the console root, navigate to “Certificates (Local Computer)” > “Trusted Root Certification Authorities” > “Certificates“;
   
5. * Select all of the certificates (CTRL+A) and select “Action” > “All tasks” > “Export…” from the MMC main menu;
6. Follow the wizard to export the certificate(s) to the Cryptographic Message Syntax Standard – PKCS#7 (,pb7 file) to a file called “TrustedRootCAs.pb7“;
7. Open a command prompt (“cmd.exe“) and navigate to the folder containing the PB7 file you just created;
8. Run openSSL.exe (you may need to add the path to this program to the Windows PATH environment variable) to convert the file to text using the following command:
1. c:\php\extras\openssl\openssl.exe pkcs7 -inform DER -in TrustedRootCAs.pb7 -print_certs -text > TrustedRootCAs.certs
9. Then, in your PHP application, add the following line BEFORE you call curl_exec():
1. curl_setopt ($ch, CURLOPT_CAINFO, ‘C:\PHP\extras\openssl\TrustedRootCAs.certs’)

That’s about all you should need to get things rolling.

Remember, you don’t necessarily have to export all of the CA’s. In the case of Yubikey, the authentication API server uses a certificate issued by GoDaddy, so you only need export that single on if you prefer not to have to keep this file updated every time ROOT CA certificates are updated by the various providers.