<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.openssl-csr-new">
<refnamediv>
<refname>openssl_csr_new</refname>
<refpurpose>Generates a CSR</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type>mixed</type><methodname>openssl_csr_new</methodname>
<methodparam><type>array</type><parameter>dn</parameter></methodparam>
<methodparam><type>resource</type><parameter role="reference">privkey</parameter></methodparam>
<methodparam choice="opt"><type>array</type><parameter>configargs</parameter></methodparam>
<methodparam choice="opt"><type>array</type><parameter>extraattribs</parameter></methodparam>
</methodsynopsis>
<para>
<function>openssl_csr_new</function> generates a new CSR (Certificate Signing Request)
based on the information provided by <parameter>dn</parameter>.
</para>
¬e.openssl.cnf;
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<para>
<variablelist>
<varlistentry>
<term><parameter>dn</parameter></term>
<listitem>
<para>
The Distinguished Name or subject fields to be used in the certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>privkey</parameter></term>
<listitem>
<para>
<parameter>privkey</parameter> should be set to a private key that was
previously generated by <function>openssl_pkey_new</function> (or
otherwise obtained from the other openssl_pkey family of functions).
The corresponding public portion of the key will be used to sign the
CSR.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>configargs</parameter></term>
<listitem>
<para>
By default, the information in your system <literal>openssl.conf</literal>
is used to initialize the request; you can specify a configuration file
section by setting the <literal>config_section_section</literal> key of
<parameter>configargs</parameter>. You can also specify an alternative
openssl configuration file by setting the value of the
<literal>config</literal> key to the path of the file you want to use.
The following keys, if present in <parameter>configargs</parameter>
behave as their equivalents in the <literal>openssl.conf</literal>, as
listed in the table below.
<table>
<title>Configuration overrides</title>
<tgroup cols="3">
<thead>
<row>
<entry><parameter>configargs</parameter> key</entry>
<entry>type</entry>
<entry><literal>openssl.conf</literal> equivalent</entry>
<entry>description</entry>
</row>
</thead>
<tbody>
<row>
<entry>digest_alg</entry>
<entry><type>string</type></entry>
<entry>default_md</entry>
<entry>Digest method or signature hash, usually one of <function>openssl_get_md_methods</function></entry>
</row>
<row>
<entry>x509_extensions</entry>
<entry><type>string</type></entry>
<entry>x509_extensions</entry>
<entry>Selects which extensions should be used when creating an x509
certificate</entry>
</row>
<row>
<entry>req_extensions</entry>
<entry><type>string</type></entry>
<entry>req_extensions</entry>
<entry>Selects which extensions should be used when creating a CSR</entry>
</row>
<row>
<entry>private_key_bits</entry>
<entry><type>int</type></entry>
<entry>default_bits</entry>
<entry>Specifies how many bits should be used to generate a private
key</entry>
</row>
<row>
<entry>private_key_type</entry>
<entry><type>int</type></entry>
<entry>none</entry>
<entry>Specifies the type of private key to create. This can be one
of <constant>OPENSSL_KEYTYPE_DSA</constant>,
<constant>OPENSSL_KEYTYPE_DH</constant>,
<constant>OPENSSL_KEYTYPE_RSA</constant> or
<constant>OPENSSL_KEYTYPE_EC</constant>.
The default value is <constant>OPENSSL_KEYTYPE_RSA</constant>.
</entry>
</row>
<row>
<entry>encrypt_key</entry>
<entry><type>bool</type></entry>
<entry>encrypt_key</entry>
<entry>Should an exported key (with passphrase) be encrypted?</entry>
</row>
<row>
<entry>encrypt_key_cipher</entry>
<entry><type>int</type></entry>
<entry>none</entry>
<entry>
One of <link linkend="openssl.ciphers">cipher constants</link>.
</entry>
</row>
<row>
<entry>curve_name</entry>
<entry><type>string</type></entry>
<entry>none</entry>
<entry>
One of <function>openssl_get_curve_names</function>.
</entry>
</row>
<row>
<entry>config</entry>
<entry><type>string</type></entry>
<entry>N/A</entry>
<entry>
Path to your own alternative openssl.conf file.
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>extraattribs</parameter></term>
<listitem>
<para>
<parameter>extraattribs</parameter> is used to specify additional
configuration options for the CSR. Both <parameter>dn</parameter> and
<parameter>extraattribs</parameter> are associative arrays whose keys are
converted to OIDs and applied to the relevant part of the request.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
Returns the CSR&return.falseforfailure;.
</para>
</refsect1>
<refsect1 role="changelog">
&reftitle.changelog;
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>7.1.0</entry>
<entry>
<parameter>configargs</parameter> now also supports <literal>curve_name</literal>.
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</refsect1>
<refsect1 role="examples">
&reftitle.examples;
<para>
<example>
<title>Creating a self-signed certificate</title>
<programlisting role="php">
<![CDATA[
<?php
// for SSL server certificates the commonName is the domain name to be secured
// for S/MIME email certificates the commonName is the owner of the email address
// location and identification fields refer to the owner of domain or email subject to be secured
$dn = array(
"countryName" => "GB",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Documentation Team",
"commonName" => "Wez Furlong",
"emailAddress" => "wez@example.com"
);
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new(array(
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
));
// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
// Generate a self-signed cert, valid for 365 days
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
// Save your private key, CSR and self-signed cert for later use
openssl_csr_export($csr, $csrout) and var_dump($csrout);
openssl_x509_export($x509, $certout) and var_dump($certout);
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
?>
]]>
</programlisting>
</example>
<example>
<title>Creating a self-signed ECC certificate (as of PHP 7.1.0)</title>
<programlisting role="php">
<![CDATA[
<?php
$subject = array(
"commonName" => "docs.php.net",
);
// Generate a new private (and public) key pair
$private_key = openssl_pkey_new(array(
"private_key_type" => OPENSSL_KEYTYPE_EC,
"curve_name" => 'prime256v1',
));
// Generate a certificate signing request
$csr = openssl_csr_new($subject, $private_key, array('digest_alg' => 'sha384'));
// Generate self-signed EC cert
$x509 = openssl_csr_sign($csr, null, $private_key, $days=365, array('digest_alg' => 'sha384'));
openssl_x509_export_to_file($x509, 'ecc-cert.pem');
openssl_pkey_export_to_file($private_key, 'ecc-private.key');
?>
]]>
</programlisting>
</example>
</para>
</refsect1>
<refsect1 role="seealso">
&reftitle.seealso;
<para>
<simplelist>
<member><function>openssl_csr_sign</function></member>
</simplelist>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->