<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Generates a CSR</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.openssl-csr-get-subject.html">openssl_csr_get_subject</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.openssl-csr-sign.html">openssl_csr_sign</a></div> <div class="up"><a href="ref.openssl.html">OpenSSL Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.openssl-csr-new" class="refentry"> <div class="refnamediv"> <h1 class="refname">openssl_csr_new</h1> <p class="verinfo">(PHP 4 >= 4.2.0, PHP 5, PHP 7)</p><p class="refpurpose"><span class="refname">openssl_csr_new</span> — <span class="dc-title">Generates a CSR</span></p> </div> <div class="refsect1 description" id="refsect1-function.openssl-csr-new-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <span class="methodname"><strong>openssl_csr_new</strong></span> ( <span class="methodparam"><span class="type">array</span> <code class="parameter">$dn</code></span> , <span class="methodparam"><span class="type">resource</span> <code class="parameter reference">&$privkey</code></span> [, <span class="methodparam"><span class="type">array</span> <code class="parameter">$configargs</code></span> [, <span class="methodparam"><span class="type">array</span> <code class="parameter">$extraattribs</code></span> ]] )</div> <p class="para rdfs-comment"> <span class="function"><strong>openssl_csr_new()</strong></span> generates a new CSR (Certificate Signing Request) based on the information provided by <code class="parameter">dn</code>. </p> <blockquote class="note"><p><strong class="note">Note</strong>: <span class="simpara"> You need to have a valid <var class="filename">openssl.cnf</var> installed for this function to operate correctly. See the notes under <a href="openssl.installation.html" class="link">the installation section</a> for more information. </span> </p></blockquote> </div> <div class="refsect1 parameters" id="refsect1-function.openssl-csr-new-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <code class="parameter">dn</code></dt> <dd> <p class="para"> The Distinguished Name or subject fields to be used in the certificate. </p> </dd> <dt> <code class="parameter">privkey</code></dt> <dd> <p class="para"> <code class="parameter">privkey</code> should be set to a private key that was previously generated by <span class="function"><a href="function.openssl-pkey-new.html" class="function">openssl_pkey_new()</a></span> (or otherwise obtained from the other openssl_pkey family of functions). The corresponding public portion of the key will be used to sign the CSR. </p> </dd> <dt> <code class="parameter">configargs</code></dt> <dd> <p class="para"> By default, the information in your system <em>openssl.conf</em> is used to initialize the request; you can specify a configuration file section by setting the <em>config_section_section</em> key of <code class="parameter">configargs</code>. You can also specify an alternative openssl configuration file by setting the value of the <em>config</em> key to the path of the file you want to use. The following keys, if present in <code class="parameter">configargs</code> behave as their equivalents in the <em>openssl.conf</em>, as listed in the table below. <table class="doctable table"> <caption><strong>Configuration overrides</strong></caption> <thead> <tr> <th><code class="parameter">configargs</code> key</th> <th>type</th> <th><em>openssl.conf</em> equivalent</th> <th>description</th> </tr> </thead> <tbody class="tbody"> <tr> <td>digest_alg</td> <td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td> <td>default_md</td> <td>Digest method or signature hash, usually one of <span class="function"><a href="function.openssl-get-md-methods.html" class="function">openssl_get_md_methods()</a></span></td> </tr> <tr> <td>x509_extensions</td> <td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td> <td>x509_extensions</td> <td>Selects which extensions should be used when creating an x509 certificate</td> </tr> <tr> <td>req_extensions</td> <td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td> <td>req_extensions</td> <td>Selects which extensions should be used when creating a CSR</td> </tr> <tr> <td>private_key_bits</td> <td><span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span></td> <td>default_bits</td> <td>Specifies how many bits should be used to generate a private key</td> </tr> <tr> <td>private_key_type</td> <td><span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span></td> <td>none</td> <td>Specifies the type of private key to create. This can be one of <strong><code>OPENSSL_KEYTYPE_DSA</code></strong>, <strong><code>OPENSSL_KEYTYPE_DH</code></strong>, <strong><code>OPENSSL_KEYTYPE_RSA</code></strong> or <strong><code>OPENSSL_KEYTYPE_EC</code></strong>. The default value is <strong><code>OPENSSL_KEYTYPE_RSA</code></strong>. </td> </tr> <tr> <td>encrypt_key</td> <td><span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span></td> <td>encrypt_key</td> <td>Should an exported key (with passphrase) be encrypted?</td> </tr> <tr> <td>encrypt_key_cipher</td> <td><span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span></td> <td>none</td> <td> One of <a href="openssl.ciphers.html" class="link">cipher constants</a>. </td> </tr> <tr> <td>curve_name</td> <td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td> <td>none</td> <td> PHP 7.1+, One of <span class="function"><a href="function.openssl-get-curve-names.html" class="function">openssl_get_curve_names()</a></span>. </td> </tr> <tr> <td>config</td> <td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td> <td>N/A</td> <td> Path to your own alternative openssl.conf file. </td> </tr> </tbody> </table> </p> </dd> <dt> <code class="parameter">extraattribs</code></dt> <dd> <p class="para"> <code class="parameter">extraattribs</code> is used to specify additional configuration options for the CSR. Both <code class="parameter">dn</code> and <code class="parameter">extraattribs</code> are associative arrays whose keys are converted to OIDs and applied to the relevant part of the request. </p> </dd> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.openssl-csr-new-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns the CSR or <strong><code>FALSE</code></strong> on failure. </p> </div> <div class="refsect1 examples" id="refsect1-function.openssl-csr-new-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-960"> <p><strong>Example #1 Creating a self-signed certificate</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// for SSL server certificates the commonName is the domain name to be secured<br />// for S/MIME email certificates the commonName is the owner of the email address<br />// location and identification fields refer to the owner of domain or email subject to be secured<br /></span><span style="color: #0000BB">$dn </span><span style="color: #007700">= array(<br /> </span><span style="color: #DD0000">"countryName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"GB"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"stateOrProvinceName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"Somerset"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"localityName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"Glastonbury"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"organizationName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"The Brain Room Limited"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"organizationalUnitName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"PHP Documentation Team"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"commonName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"Wez Furlong"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"emailAddress" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"wez@example.com"<br /></span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Generate a new private (and public) key pair<br /></span><span style="color: #0000BB">$privkey </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_pkey_new</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"private_key_bits" </span><span style="color: #007700">=> </span><span style="color: #0000BB">2048</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"private_key_type" </span><span style="color: #007700">=> </span><span style="color: #0000BB">OPENSSL_KEYTYPE_RSA</span><span style="color: #007700">,<br />));<br /><br /></span><span style="color: #FF8000">// Generate a certificate signing request<br /></span><span style="color: #0000BB">$csr </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_new</span><span style="color: #007700">(</span><span style="color: #0000BB">$dn</span><span style="color: #007700">, </span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha256'</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Generate a self-signed cert, valid for 365 days<br /></span><span style="color: #0000BB">$x509 </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_sign</span><span style="color: #007700">(</span><span style="color: #0000BB">$csr</span><span style="color: #007700">, </span><span style="color: #0000BB">null</span><span style="color: #007700">, </span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, </span><span style="color: #0000BB">$days</span><span style="color: #007700">=</span><span style="color: #0000BB">365</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha256'</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Save your private key, CSR and self-signed cert for later use<br /></span><span style="color: #0000BB">openssl_csr_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$csr</span><span style="color: #007700">, </span><span style="color: #0000BB">$csrout</span><span style="color: #007700">) and </span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$csrout</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">openssl_x509_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$x509</span><span style="color: #007700">, </span><span style="color: #0000BB">$certout</span><span style="color: #007700">) and </span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$certout</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">openssl_pkey_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, </span><span style="color: #0000BB">$pkeyout</span><span style="color: #007700">, </span><span style="color: #DD0000">"mypassword"</span><span style="color: #007700">) and </span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$pkeyout</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Show any errors that occurred here<br /></span><span style="color: #007700">while ((</span><span style="color: #0000BB">$e </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_error_string</span><span style="color: #007700">()) !== </span><span style="color: #0000BB">false</span><span style="color: #007700">) {<br /> echo </span><span style="color: #0000BB">$e </span><span style="color: #007700">. </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br />}<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> <div class="example" id="example-961"> <p><strong>Example #2 Creating a self-signed ECC certificate in PHP 7.1+</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$subject </span><span style="color: #007700">= array(<br /> </span><span style="color: #DD0000">"commonName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"docs.php.net"</span><span style="color: #007700">,<br />);<br /><br /></span><span style="color: #FF8000">// Generate a new private (and public) key pair<br /></span><span style="color: #0000BB">$private_key </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_pkey_new</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"private_key_type" </span><span style="color: #007700">=> </span><span style="color: #0000BB">OPENSSL_KEYTYPE_EC</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"curve_name" </span><span style="color: #007700">=> </span><span style="color: #DD0000">'prime256v1'</span><span style="color: #007700">,<br />));<br /><br /></span><span style="color: #FF8000">// Generate a certificate signing request<br /></span><span style="color: #0000BB">$csr </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_new</span><span style="color: #007700">(</span><span style="color: #0000BB">$subject</span><span style="color: #007700">, </span><span style="color: #0000BB">$private_key</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha384'</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Generate self-signed EC cert<br /></span><span style="color: #0000BB">$x509 </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_sign</span><span style="color: #007700">(</span><span style="color: #0000BB">$csr</span><span style="color: #007700">, </span><span style="color: #0000BB">null</span><span style="color: #007700">, </span><span style="color: #0000BB">$private_key</span><span style="color: #007700">, </span><span style="color: #0000BB">$days</span><span style="color: #007700">=</span><span style="color: #0000BB">365</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha384'</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">openssl_x509_export_to_file</span><span style="color: #007700">(</span><span style="color: #0000BB">$x509</span><span style="color: #007700">, </span><span style="color: #DD0000">'ecc-cert.pem'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">openssl_pkey_export_to_file</span><span style="color: #007700">(</span><span style="color: #0000BB">$private_key</span><span style="color: #007700">, </span><span style="color: #DD0000">'ecc-private.key'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> </div> <div class="refsect1 seealso" id="refsect1-function.openssl-csr-new-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"><span class="function"><a href="function.openssl-csr-sign.html" class="function" rel="rdfs-seeAlso">openssl_csr_sign()</a> - Sign a CSR with another certificate (or itself) and generate a certificate</span></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.openssl-csr-get-subject.html">openssl_csr_get_subject</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.openssl-csr-sign.html">openssl_csr_sign</a></div> <div class="up"><a href="ref.openssl.html">OpenSSL Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>