openssl_csr_new
openssl_csr_new
(PHP 4 >= 4.2.0, PHP 5, PHP 7)
openssl_csr_new — Generates a CSR
描述
mixed openssl_csr_new ( array $dn , resource &$privkey [, array $configargs [, array $extraattribs ]] )
openssl_csr_new()根据提供的信息生成新的 CSR(证书签名请求)dn。
注意:您需要安装有效的 openssl.cnf 才能使此功能正常运行。有关更多信息,请参阅安装部分下的说明。
参数
dn
要在证书中使用的专有名称或主题字段。
privkey
privkey应该设置为先前由 openssl_pkey_new()生成的私钥(或以其他方式从其他 openssl_pkey函数族获得)。密钥的相应公开部分将用于签署 CSR。
configargs
默认情况下,系统 openssl.conf 中的信息用于初始化请求; 您可以通过设置 config_section_section 键来指定配置文件部分configargs。您还可以通过将 config 密钥的值设置为您要使用的文件的路径来指定一个替代 openssl 配置文件。下列关键字(如果存在)在 openssl.conf 中的configargs行为与它们的等效关系相同,如下表所列。
| configargs key | type | openssl.conf equivalent | description |
|---|---|---|---|
| digest_alg | string | default_md | Digest method or signature hash, usually one of openssl_get_md_methods() |
| x509_extensions | string | x509_extensions | Selects which extensions should be used when creating an x509 certificate |
| req_extensions | string | req_extensions | Selects which extensions should be used when creating a CSR |
| private_key_bits | integer | default_bits | Specifies how many bits should be used to generate a private key |
| private_key_type | integer | none | Specifies the type of private key to create. This can be one of OPENSSL_KEYTYPE_DSA, OPENSSL_KEYTYPE_DH, OPENSSL_KEYTYPE_RSA or OPENSSL_KEYTYPE_EC. The default value is OPENSSL_KEYTYPE_RSA. |
| encrypt_key | boolean | encrypt_key | Should an exported key (with passphrase) be encrypted? |
| encrypt_key_cipher | integer | none | One of cipher constants. |
| curve_name | string | none | PHP 7.1+, One of openssl_get_curve_names(). |
| config | string | N/A | Path to your own alternative openssl.conf file. |
extraattribs
extraattribs用于指定 CSR 的其他配置选项。两个dn和extraattribs是关联数组,其键被转换成的 OID 和施加到该请求的有关部分。
返回值
返回 CSR 或FALSE失败。
例子
示例#1 创建自签名证书
<?php
// for SSL server certificates the commonName is the domain name to be secured
// for S/MIME email certificates the commonName is the owner of the email address
// location and identification fields refer to the owner of domain or email subject to be secured
$dn = array(
"countryName" => "GB",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Documentation Team",
"commonName" => "Wez Furlong",
"emailAddress" => "wez@example.com"
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new(array(
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
)
// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256')
// Generate a self-signed cert, valid for 365 days
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256')
// Save your private key, CSR and self-signed cert for later use
openssl_csr_export($csr, $csrout) and var_dump($csrout
openssl_x509_export($x509, $certout) and var_dump($certout
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
?>
Example#2在 PHP 7.1+中创建一个自签名的 ECC 证书
<?php
$subject = array(
"commonName" => "docs.php.net",
// Generate a new private (and public) key pair
$private_key = openssl_pkey_new(array(
"private_key_type" => OPENSSL_KEYTYPE_EC,
"curve_name" => 'prime256v1',
)
// Generate a certificate signing request
$csr = openssl_csr_new($subject, $private_key, array('digest_alg' => 'sha384')
// Generate self-signed EC cert
$x509 = openssl_csr_sign($csr, null, $private_key, $days=365, array('digest_alg' => 'sha384')
openssl_x509_export_to_file($x509, 'ecc-cert.pem'
openssl_pkey_export_to_file($private_key, 'ecc-private.key'
?>
