|Unique User Downloads
|Not enough user ratings
|All time: 9,530 This week: 107
|HTTP, PHP 5, Files and Folders, Crypt..., V..., S..., C...
This package can manage SSL certificate authority file used by PHP.
Before you begin, which problem are you trying to solve?
Make sure the
vendor/paragonie/certainty/data directory is writable. For example:
chown -R webuser:webuser vendor/paragonie/certainty/data
chmod 0775 vendor/paragonie/certainty/data
chmod 0664 vendor/paragonie/certainty/data/*
Automate your PHP projects' cacert.pem management. Read the blog post introducing Certainty.
Requires PHP 5.6 or newer.
Certainty allows your software to "just work" (which is usually the motivation for disabling certificate validation) without being vulnerable to man-in-the-middle attacks.
Many HTTP libraries require you to specify a file path to a
cacert.pem file in order to use TLS correctly.
Omitting this file means either disabling certificate validation entirely (which enables trivial man-in-the-middle
exploits), connection failures, or hoping that your library falls back safely to the operating system's bundle.
In short, the possible outcomes (from best to worst) are as follows:
Obviously, the first outcome is optimal. So we built Certainty to make it easier to ensure open source projects do this.
composer require paragonie/certainty:^1
Certainty will keep certificates up to date via
RemoteFetch, so you don't need to update
Certainty library just to get fresh CA-Cert bundless. Update only for bugfixes (especially
security fixes) and new features.
If you are not using
RemoteFetch (which is strongly recommended
that you do, and we only provide support for systems that do use
RemoteFetch), then you want
dev-master rather than a version constraint, due to the nature of CA Certificates.
If a major CA gets compromised and their certificates are revoked, you don't want to continue trusting these certificates.
Furthermore, in the event of avoiding
RemoteFetch, you should be running
composer update at least
once per week to prevent stale CA-Cert files from causing issues.
See the documentation.
Certainty maintains a repository of all the
cacert.pem files since 2017, along with a sha256sum and
Ed25519 signature of each file. When you request the latest bundle, Certainty will check both these
values (the latter can only be signed by a key held by Paragon Initiative Enterprises, LLC) for each
entry in the JSON value, and return the latest bundle that passes validation.
The cacert.pem files contained within are reproducible from Mozilla's bundle.
The key differences are:
|bin (1 file)
|data (5 files)
|docs (1 file, 1 directory)
|local (3 files)
|src (6 files, 1 directory)
|test (6 files, 1 directory)
|Unique User Downloads