<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Generates a CSR</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.openssl-csr-get-subject.html">openssl_csr_get_subject</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.openssl-csr-sign.html">openssl_csr_sign</a></div>
<div class="up"><a href="ref.openssl.html">OpenSSL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.openssl-csr-new" class="refentry">
<div class="refnamediv">
<h1 class="refname">openssl_csr_new</h1>
<p class="verinfo">(PHP 4 >= 4.2.0, PHP 5, PHP 7)</p><p class="refpurpose"><span class="refname">openssl_csr_new</span> — <span class="dc-title">Generates a CSR</span></p>
</div>
<div class="refsect1 description" id="refsect1-function.openssl-csr-new-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <span class="methodname"><strong>openssl_csr_new</strong></span>
( <span class="methodparam"><span class="type">array</span> <code class="parameter">$dn</code></span>
, <span class="methodparam"><span class="type">resource</span> <code class="parameter reference">&$privkey</code></span>
[, <span class="methodparam"><span class="type">array</span> <code class="parameter">$configargs</code></span>
[, <span class="methodparam"><span class="type">array</span> <code class="parameter">$extraattribs</code></span>
]] )</div>
<p class="para rdfs-comment">
<span class="function"><strong>openssl_csr_new()</strong></span> generates a new CSR (Certificate Signing Request)
based on the information provided by <code class="parameter">dn</code>.
</p>
<blockquote class="note"><p><strong class="note">Note</strong>:
<span class="simpara">
You need to have a valid <var class="filename">openssl.cnf</var> installed for
this function to operate correctly.
See the notes under <a href="openssl.installation.html" class="link">the installation
section</a> for more information.
</span>
</p></blockquote>
</div>
<div class="refsect1 parameters" id="refsect1-function.openssl-csr-new-parameters">
<h3 class="title">Parameters</h3>
<p class="para">
<dl>
<dt>
<code class="parameter">dn</code></dt>
<dd>
<p class="para">
The Distinguished Name or subject fields to be used in the certificate.
</p>
</dd>
<dt>
<code class="parameter">privkey</code></dt>
<dd>
<p class="para">
<code class="parameter">privkey</code> should be set to a private key that was
previously generated by <span class="function"><a href="function.openssl-pkey-new.html" class="function">openssl_pkey_new()</a></span> (or
otherwise obtained from the other openssl_pkey family of functions).
The corresponding public portion of the key will be used to sign the
CSR.
</p>
</dd>
<dt>
<code class="parameter">configargs</code></dt>
<dd>
<p class="para">
By default, the information in your system <em>openssl.conf</em>
is used to initialize the request; you can specify a configuration file
section by setting the <em>config_section_section</em> key of
<code class="parameter">configargs</code>. You can also specify an alternative
openssl configuration file by setting the value of the
<em>config</em> key to the path of the file you want to use.
The following keys, if present in <code class="parameter">configargs</code>
behave as their equivalents in the <em>openssl.conf</em>, as
listed in the table below.
<table class="doctable table">
<caption><strong>Configuration overrides</strong></caption>
<thead>
<tr>
<th><code class="parameter">configargs</code> key</th>
<th>type</th>
<th><em>openssl.conf</em> equivalent</th>
<th>description</th>
</tr>
</thead>
<tbody class="tbody">
<tr>
<td>digest_alg</td>
<td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td>
<td>default_md</td>
<td>Digest method or signature hash, usually one of <span class="function"><a href="function.openssl-get-md-methods.html" class="function">openssl_get_md_methods()</a></span></td>
</tr>
<tr>
<td>x509_extensions</td>
<td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td>
<td>x509_extensions</td>
<td>Selects which extensions should be used when creating an x509
certificate</td>
</tr>
<tr>
<td>req_extensions</td>
<td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td>
<td>req_extensions</td>
<td>Selects which extensions should be used when creating a CSR</td>
</tr>
<tr>
<td>private_key_bits</td>
<td><span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span></td>
<td>default_bits</td>
<td>Specifies how many bits should be used to generate a private
key</td>
</tr>
<tr>
<td>private_key_type</td>
<td><span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span></td>
<td>none</td>
<td>Specifies the type of private key to create. This can be one
of <strong><code>OPENSSL_KEYTYPE_DSA</code></strong>,
<strong><code>OPENSSL_KEYTYPE_DH</code></strong>,
<strong><code>OPENSSL_KEYTYPE_RSA</code></strong> or
<strong><code>OPENSSL_KEYTYPE_EC</code></strong>.
The default value is <strong><code>OPENSSL_KEYTYPE_RSA</code></strong>.
</td>
</tr>
<tr>
<td>encrypt_key</td>
<td><span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span></td>
<td>encrypt_key</td>
<td>Should an exported key (with passphrase) be encrypted?</td>
</tr>
<tr>
<td>encrypt_key_cipher</td>
<td><span class="type"><a href="language.types.integer.html" class="type integer">integer</a></span></td>
<td>none</td>
<td>
One of <a href="openssl.ciphers.html" class="link">cipher constants</a>.
</td>
</tr>
<tr>
<td>curve_name</td>
<td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td>
<td>none</td>
<td>
PHP 7.1+, One of <span class="function"><a href="function.openssl-get-curve-names.html" class="function">openssl_get_curve_names()</a></span>.
</td>
</tr>
<tr>
<td>config</td>
<td><span class="type"><a href="language.types.string.html" class="type string">string</a></span></td>
<td>N/A</td>
<td>
Path to your own alternative openssl.conf file.
</td>
</tr>
</tbody>
</table>
</p>
</dd>
<dt>
<code class="parameter">extraattribs</code></dt>
<dd>
<p class="para">
<code class="parameter">extraattribs</code> is used to specify additional
configuration options for the CSR. Both <code class="parameter">dn</code> and
<code class="parameter">extraattribs</code> are associative arrays whose keys are
converted to OIDs and applied to the relevant part of the request.
</p>
</dd>
</dl>
</p>
</div>
<div class="refsect1 returnvalues" id="refsect1-function.openssl-csr-new-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
Returns the CSR or <strong><code>FALSE</code></strong> on failure.
</p>
</div>
<div class="refsect1 examples" id="refsect1-function.openssl-csr-new-examples">
<h3 class="title">Examples</h3>
<p class="para">
<div class="example" id="example-960">
<p><strong>Example #1 Creating a self-signed certificate</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// for SSL server certificates the commonName is the domain name to be secured<br />// for S/MIME email certificates the commonName is the owner of the email address<br />// location and identification fields refer to the owner of domain or email subject to be secured<br /></span><span style="color: #0000BB">$dn </span><span style="color: #007700">= array(<br /> </span><span style="color: #DD0000">"countryName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"GB"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"stateOrProvinceName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"Somerset"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"localityName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"Glastonbury"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"organizationName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"The Brain Room Limited"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"organizationalUnitName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"PHP Documentation Team"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"commonName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"Wez Furlong"</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"emailAddress" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"wez@example.com"<br /></span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Generate a new private (and public) key pair<br /></span><span style="color: #0000BB">$privkey </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_pkey_new</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"private_key_bits" </span><span style="color: #007700">=> </span><span style="color: #0000BB">2048</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"private_key_type" </span><span style="color: #007700">=> </span><span style="color: #0000BB">OPENSSL_KEYTYPE_RSA</span><span style="color: #007700">,<br />));<br /><br /></span><span style="color: #FF8000">// Generate a certificate signing request<br /></span><span style="color: #0000BB">$csr </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_new</span><span style="color: #007700">(</span><span style="color: #0000BB">$dn</span><span style="color: #007700">, </span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha256'</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Generate a self-signed cert, valid for 365 days<br /></span><span style="color: #0000BB">$x509 </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_sign</span><span style="color: #007700">(</span><span style="color: #0000BB">$csr</span><span style="color: #007700">, </span><span style="color: #0000BB">null</span><span style="color: #007700">, </span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, </span><span style="color: #0000BB">$days</span><span style="color: #007700">=</span><span style="color: #0000BB">365</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha256'</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Save your private key, CSR and self-signed cert for later use<br /></span><span style="color: #0000BB">openssl_csr_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$csr</span><span style="color: #007700">, </span><span style="color: #0000BB">$csrout</span><span style="color: #007700">) and </span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$csrout</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">openssl_x509_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$x509</span><span style="color: #007700">, </span><span style="color: #0000BB">$certout</span><span style="color: #007700">) and </span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$certout</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">openssl_pkey_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, </span><span style="color: #0000BB">$pkeyout</span><span style="color: #007700">, </span><span style="color: #DD0000">"mypassword"</span><span style="color: #007700">) and </span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$pkeyout</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Show any errors that occurred here<br /></span><span style="color: #007700">while ((</span><span style="color: #0000BB">$e </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_error_string</span><span style="color: #007700">()) !== </span><span style="color: #0000BB">false</span><span style="color: #007700">) {<br /> echo </span><span style="color: #0000BB">$e </span><span style="color: #007700">. </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br />}<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
<div class="example" id="example-961">
<p><strong>Example #2 Creating a self-signed ECC certificate in PHP 7.1+</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$subject </span><span style="color: #007700">= array(<br /> </span><span style="color: #DD0000">"commonName" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"docs.php.net"</span><span style="color: #007700">,<br />);<br /><br /></span><span style="color: #FF8000">// Generate a new private (and public) key pair<br /></span><span style="color: #0000BB">$private_key </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_pkey_new</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"private_key_type" </span><span style="color: #007700">=> </span><span style="color: #0000BB">OPENSSL_KEYTYPE_EC</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"curve_name" </span><span style="color: #007700">=> </span><span style="color: #DD0000">'prime256v1'</span><span style="color: #007700">,<br />));<br /><br /></span><span style="color: #FF8000">// Generate a certificate signing request<br /></span><span style="color: #0000BB">$csr </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_new</span><span style="color: #007700">(</span><span style="color: #0000BB">$subject</span><span style="color: #007700">, </span><span style="color: #0000BB">$private_key</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha384'</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Generate self-signed EC cert<br /></span><span style="color: #0000BB">$x509 </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_sign</span><span style="color: #007700">(</span><span style="color: #0000BB">$csr</span><span style="color: #007700">, </span><span style="color: #0000BB">null</span><span style="color: #007700">, </span><span style="color: #0000BB">$private_key</span><span style="color: #007700">, </span><span style="color: #0000BB">$days</span><span style="color: #007700">=</span><span style="color: #0000BB">365</span><span style="color: #007700">, array(</span><span style="color: #DD0000">'digest_alg' </span><span style="color: #007700">=> </span><span style="color: #DD0000">'sha384'</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">openssl_x509_export_to_file</span><span style="color: #007700">(</span><span style="color: #0000BB">$x509</span><span style="color: #007700">, </span><span style="color: #DD0000">'ecc-cert.pem'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">openssl_pkey_export_to_file</span><span style="color: #007700">(</span><span style="color: #0000BB">$private_key</span><span style="color: #007700">, </span><span style="color: #DD0000">'ecc-private.key'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
</p>
</div>
<div class="refsect1 seealso" id="refsect1-function.openssl-csr-new-seealso">
<h3 class="title">See Also</h3>
<p class="para">
<ul class="simplelist">
<li class="member"><span class="function"><a href="function.openssl-csr-sign.html" class="function" rel="rdfs-seeAlso">openssl_csr_sign()</a> - Sign a CSR with another certificate (or itself) and generate a certificate</span></li>
</ul>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.openssl-csr-get-subject.html">openssl_csr_get_subject</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.openssl-csr-sign.html">openssl_csr_sign</a></div>
<div class="up"><a href="ref.openssl.html">OpenSSL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
