reference/openssl/functions/openssl-csr-new.xml
497c40ac164d5873fd87f622dfdeb5206392b446
497c40ac164d5873fd87f622dfdeb5206392b446
...
...
@@ -1,24 +1,23 @@
1
1
<?xml version="1.0" encoding="utf-8"?>
2
2
<!-- $Revision$ -->
3
-
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.openssl-csr-new">
3
+
<refentry xml:id="function.openssl-csr-new" xmlns="http://docbook.org/ns/docbook">
4
4
<refnamediv>
5
5
<refname>openssl_csr_new</refname>
6
-
<refpurpose>Generates a CSR</refpurpose>
6
+
<refpurpose>Generates a <acronym>CSR</acronym></refpurpose>
7
7
</refnamediv>
8
8
9
9
<refsect1 role="description">
10
10
&reftitle.description;
11
11
<methodsynopsis>
12
-
<type>mixed</type><methodname>openssl_csr_new</methodname>
13
-
<methodparam><type>array</type><parameter>dn</parameter></methodparam>
14
-
<methodparam><type>resource</type><parameter role="reference">privkey</parameter></methodparam>
15
-
<methodparam choice="opt"><type>array</type><parameter>configargs</parameter></methodparam>
16
-
<methodparam choice="opt"><type>array</type><parameter>extraattribs</parameter></methodparam>
12
+
<type class="union"><type>OpenSSLCertificateSigningRequest</type><type>false</type></type><methodname>openssl_csr_new</methodname>
13
+
<methodparam><type>array</type><parameter>distinguished_names</parameter></methodparam>
14
+
<methodparam><type>OpenSSLAsymmetricKey</type><parameter role="reference">private_key</parameter></methodparam>
15
+
<methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>options</parameter><initializer>&null;</initializer></methodparam>
16
+
<methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>extra_attributes</parameter><initializer>&null;</initializer></methodparam>
17
17
</methodsynopsis>
18
18
<para>
19
-
<function>openssl_csr_new</function> generates a new CSR (Certificate Signing Request)
20
-
based on the information provided by <parameter>dn</parameter>, which represents the
21
-
Distinguished Name to be used in the certificate.
19
+
<function>openssl_csr_new</function> generates a new <acronym>CSR</acronym>
20
+
based on the information provided by <parameter>distinguished_names</parameter>.
22
21
</para>
23
22
¬e.openssl.cnf;
24
23
</refsect1>
...
...
@@ -28,36 +27,36 @@
28
27
<para>
29
28
<variablelist>
30
29
<varlistentry>
31
-
<term><parameter>dn</parameter></term>
30
+
<term><parameter>distinguished_names</parameter></term>
32
31
<listitem>
33
32
<para>
34
-
The Distinguished Name to be used in the certificate.
33
+
The Distinguished Name or subject fields to be used in the certificate.
35
34
</para>
36
35
</listitem>
37
36
</varlistentry>
38
37
<varlistentry>
39
-
<term><parameter>privkey</parameter></term>
38
+
<term><parameter>private_key</parameter></term>
40
39
<listitem>
41
40
<para>
42
-
<parameter>privkey</parameter> should be set to a private key that was
41
+
<parameter>private_key</parameter> should be set to a private key that was
43
42
previously generated by <function>openssl_pkey_new</function> (or
44
43
otherwise obtained from the other openssl_pkey family of functions).
45
44
The corresponding public portion of the key will be used to sign the
46
-
CSR.
45
+
<acronym>CSR</acronym>.
47
46
</para>
48
47
</listitem>
49
48
</varlistentry>
50
49
<varlistentry>
51
-
<term><parameter>configargs</parameter></term>
50
+
<term><parameter>options</parameter></term>
52
51
<listitem>
53
52
<para>
54
53
By default, the information in your system <literal>openssl.conf</literal>
55
54
is used to initialize the request; you can specify a configuration file
56
55
section by setting the <literal>config_section_section</literal> key of
57
-
<parameter>configargs</parameter>. You can also specify an alternative
56
+
<parameter>options</parameter>. You can also specify an alternative
58
57
openssl configuration file by setting the value of the
59
58
<literal>config</literal> key to the path of the file you want to use.
60
-
The following keys, if present in <parameter>configargs</parameter>
59
+
The following keys, if present in <parameter>options</parameter>
61
60
behave as their equivalents in the <literal>openssl.conf</literal>, as
62
61
listed in the table below.
63
62
<table>
...
...
@@ -65,7 +64,7 @@
65
64
<tgroup cols="3">
66
65
<thead>
67
66
<row>
68
-
<entry><parameter>configargs</parameter> key</entry>
67
+
<entry><parameter>options</parameter> key</entry>
69
68
<entry>type</entry>
70
69
<entry><literal>openssl.conf</literal> equivalent</entry>
71
70
<entry>description</entry>
...
...
@@ -76,7 +75,7 @@
76
75
<entry>digest_alg</entry>
77
76
<entry><type>string</type></entry>
78
77
<entry>default_md</entry>
79
-
<entry>Selects which digest method to use</entry>
78
+
<entry>Digest method or signature hash, usually one of <function>openssl_get_md_methods</function></entry>
80
79
</row>
81
80
<row>
82
81
<entry>x509_extensions</entry>
...
...
@@ -89,41 +88,57 @@
89
88
<entry>req_extensions</entry>
90
89
<entry><type>string</type></entry>
91
90
<entry>req_extensions</entry>
92
-
<entry>Selects which extensions should be used when creating a CSR</entry>
91
+
<entry>Selects which extensions should be used when creating a <acronym>CSR</acronym></entry>
93
92
</row>
94
93
<row>
95
94
<entry>private_key_bits</entry>
96
-
<entry><type>integer</type></entry>
95
+
<entry><type>int</type></entry>
97
96
<entry>default_bits</entry>
98
97
<entry>Specifies how many bits should be used to generate a private
99
98
key</entry>
100
99
</row>
101
100
<row>
102
101
<entry>private_key_type</entry>
103
-
<entry><type>integer</type></entry>
102
+
<entry><type>int</type></entry>
104
103
<entry>none</entry>
105
104
<entry>Specifies the type of private key to create. This can be one
106
105
of <constant>OPENSSL_KEYTYPE_DSA</constant>,
107
-
<constant>OPENSSL_KEYTYPE_DH</constant> or
108
-
<constant>OPENSSL_KEYTYPE_RSA</constant>.
109
-
The default value is <constant>OPENSSL_KEYTYPE_RSA</constant> which
110
-
is currently the only supported key type.
106
+
<constant>OPENSSL_KEYTYPE_DH</constant>,
107
+
<constant>OPENSSL_KEYTYPE_RSA</constant> or
108
+
<constant>OPENSSL_KEYTYPE_EC</constant>.
109
+
The default value is <constant>OPENSSL_KEYTYPE_RSA</constant>.
111
110
</entry>
112
111
</row>
113
112
<row>
114
113
<entry>encrypt_key</entry>
115
-
<entry><type>boolean</type></entry>
114
+
<entry><type>bool</type></entry>
116
115
<entry>encrypt_key</entry>
117
116
<entry>Should an exported key (with passphrase) be encrypted?</entry>
118
117
</row>
119
118
<row>
120
119
<entry>encrypt_key_cipher</entry>
121
-
<entry><type>integer</type></entry>
120
+
<entry><type>int</type></entry>
122
121
<entry>none</entry>
123
122
<entry>
124
123
One of <link linkend="openssl.ciphers">cipher constants</link>.
125
124
</entry>
126
125
</row>
126
+
<row>
127
+
<entry>curve_name</entry>
128
+
<entry><type>string</type></entry>
129
+
<entry>none</entry>
130
+
<entry>
131
+
One of <function>openssl_get_curve_names</function>.
132
+
</entry>
133
+
</row>
134
+
<row>
135
+
<entry>config</entry>
136
+
<entry><type>string</type></entry>
137
+
<entry>N/A</entry>
138
+
<entry>
139
+
Path to your own alternative openssl.conf file.
140
+
</entry>
141
+
</row>
127
142
</tbody>
128
143
</tgroup>
129
144
</table>
...
...
@@ -131,12 +146,12 @@
131
146
</listitem>
132
147
</varlistentry>
133
148
<varlistentry>
134
-
<term><parameter>extraattribs</parameter></term>
149
+
<term><parameter>extra_attributes</parameter></term>
135
150
<listitem>
136
151
<para>
137
-
<parameter>extraattribs</parameter> is used to specify additional
138
-
configuration options for the CSR. Both <parameter>dn</parameter> and
139
-
<parameter>extraattribs</parameter> are associative arrays whose keys are
152
+
<parameter>extra_attributes</parameter> is used to specify additional
153
+
configuration options for the <acronym>CSR</acronym>. Both <parameter>distinguished_names</parameter> and
154
+
<parameter>extra_attributes</parameter> are associative arrays whose keys are
140
155
converted to OIDs and applied to the relevant part of the request.
141
156
</para>
142
157
</listitem>
...
...
@@ -148,28 +163,59 @@
148
163
<refsect1 role="returnvalues">
149
164
&reftitle.returnvalues;
150
165
<para>
151
-
Returns the CSR.
166
+
Returns the <acronym>CSR</acronym>&return.falseforfailure;.
152
167
</para>
153
168
</refsect1>
154
169
170
+
<refsect1 role="changelog">
171
+
&reftitle.changelog;
172
+
<informaltable>
173
+
<tgroup cols="2">
174
+
<thead>
175
+
<row>
176
+
<entry>&Version;</entry>
177
+
<entry>&Description;</entry>
178
+
</row>
179
+
</thead>
180
+
<tbody>
181
+
<row>
182
+
<entry>8.0.0</entry>
183
+
<entry>
184
+
On success, this function returns an <classname>OpenSSLCertificateSigningRequest</classname> instance now;
185
+
previously, a &resource; of type <literal>OpenSSL X.509 CSR</literal> was returned.
186
+
</entry>
187
+
</row>
188
+
<row>
189
+
<entry>8.0.0</entry>
190
+
<entry>
191
+
<parameter>private_key</parameter> accepts an <classname>OpenSSLAsymmetricKey</classname> instance now;
192
+
previously, a &resource; of type <literal>OpenSSL key</literal> was accepted.
193
+
</entry>
194
+
</row>
195
+
<row>
196
+
<entry>7.1.0</entry>
197
+
<entry>
198
+
<parameter>options</parameter> now also supports <literal>curve_name</literal>.
199
+
</entry>
200
+
</row>
201
+
</tbody>
202
+
</tgroup>
203
+
</informaltable>
204
+
</refsect1>
205
+
155
206
<refsect1 role="examples">
156
207
&reftitle.examples;
157
208
<para>
158
209
<example>
159
-
<title>Creating a self-signed-certificate</title>
210
+
<title>Creating a self-signed certificate</title>
160
211
<programlisting role="php">
161
212
<![CDATA[
162
213
<?php
163
-
// Fill in data for the distinguished name to be used in the cert
164
-
// You must change the values of these keys to match your name and
165
-
// company, or more precisely, the name and company of the person/site
166
-
// that you are generating the certificate for.
167
-
// For SSL certificates, the commonName is usually the domain name of
168
-
// that will be using the certificate, but for S/MIME certificates,
169
-
// the commonName will be the name of the individual who will use the
170
-
// certificate.
214
+
// for SSL server certificates the commonName is the domain name to be secured
215
+
// for S/MIME email certificates the commonName is the owner of the email address
216
+
// location and identification fields refer to the owner of domain or email subject to be secured
171
217
$dn = array(
172
-
"countryName" => "UK",
218
+
"countryName" => "GB",
173
219
"stateOrProvinceName" => "Somerset",
174
220
"localityName" => "Glastonbury",
175
221
"organizationName" => "The Brain Room Limited",
...
...
@@ -179,25 +225,20 @@ $dn = array(
179
225
);
180
226
181
227
// Generate a new private (and public) key pair
182
-
$privkey = openssl_pkey_new();
228
+
$privkey = openssl_pkey_new(array(
229
+
"private_key_bits" => 2048,
230
+
"private_key_type" => OPENSSL_KEYTYPE_RSA,
231
+
));
183
232
184
233
// Generate a certificate signing request
185
-
$csr = openssl_csr_new($dn, $privkey);
186
-
187
-
// You will usually want to create a self-signed certificate at this
188
-
// point until your CA fulfills your request.
189
-
// This creates a self-signed cert that is valid for 365 days
190
-
$sscert = openssl_csr_sign($csr, null, $privkey, 365);
191
-
192
-
// Now you will want to preserve your private key, CSR and self-signed
193
-
// cert so that they can be installed into your web server, mail server
194
-
// or mail client (depending on the intended use of the certificate).
195
-
// This example shows how to get those things into variables, but you
196
-
// can also store them directly into files.
197
-
// Typically, you will send the CSR on to your CA who will then issue
198
-
// you with the "real" certificate.
234
+
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
235
+
236
+
// Generate a self-signed cert, valid for 365 days
237
+
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
238
+
239
+
// Save your private key, CSR and self-signed cert for later use
199
240
openssl_csr_export($csr, $csrout) and var_dump($csrout);
200
-
openssl_x509_export($sscert, $certout) and var_dump($certout);
241
+
openssl_x509_export($x509, $certout) and var_dump($certout);
201
242
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
202
243
203
244
// Show any errors that occurred here
...
...
@@ -208,11 +249,48 @@ while (($e = openssl_error_string()) !== false) {
208
249
]]>
209
250
</programlisting>
210
251
</example>
252
+
253
+
<example>
254
+
<title>Creating a self-signed ECC certificate (as of PHP 7.1.0)</title>
255
+
<programlisting role="php">
256
+
<![CDATA[
257
+
<?php
258
+
$subject = array(
259
+
"commonName" => "docs.php.net",
260
+
);
261
+
262
+
// Generate a new private (and public) key pair
263
+
$private_key = openssl_pkey_new(array(
264
+
"private_key_type" => OPENSSL_KEYTYPE_EC,
265
+
"curve_name" => 'prime256v1',
266
+
));
267
+
268
+
// Generate a certificate signing request
269
+
$csr = openssl_csr_new($subject, $private_key, array('digest_alg' => 'sha384'));
270
+
271
+
// Generate self-signed EC cert
272
+
$x509 = openssl_csr_sign($csr, null, $private_key, $days=365, array('digest_alg' => 'sha384'));
273
+
openssl_x509_export_to_file($x509, 'ecc-cert.pem');
274
+
openssl_pkey_export_to_file($private_key, 'ecc-private.key');
275
+
?>
276
+
]]>
277
+
</programlisting>
278
+
</example>
279
+
280
+
211
281
</para>
212
282
</refsect1>
213
283
214
-
</refentry>
284
+
<refsect1 role="seealso">
285
+
&reftitle.seealso;
286
+
<para>
287
+
<simplelist>
288
+
<member><function>openssl_csr_sign</function></member>
289
+
</simplelist>
290
+
</para>
291
+
</refsect1>
215
292
293
+
</refentry>
216
294
<!-- Keep this comment at the end of the file
217
295
Local variables:
218
296
mode: sgml
219
297