reference/openssl/functions/openssl-csr-new.xml

<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<!-- EN-Revision: 5bc68add3da3cd18c40f851e944b15095d3a26aa Maintainer: duanxiaoqiang Status: ready -->
<!-- CREDITS: mowangjuanzi, Luffy -->
<refentry xml:id="function.openssl-csr-new" xmlns="http://docbook.org/ns/docbook">
 <refnamediv>
  <refname>openssl_csr_new</refname>
  <refpurpose>生成一个 <acronym>CSR</acronym></refpurpose>
 </refnamediv>
 
 <refsect1 role="description">
  &reftitle.description;
  <methodsynopsis>
   <type class="union"><type>OpenSSLCertificateSigningRequest</type><type>false</type></type><methodname>openssl_csr_new</methodname>
   <methodparam><type>array</type><parameter>distinguished_names</parameter></methodparam>
   <methodparam><modifier role="attribute">#[\SensitiveParameter]</modifier><type>OpenSSLAsymmetricKey</type><parameter role="reference">private_key</parameter></methodparam>
   <methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>options</parameter><initializer>&null;</initializer></methodparam>
   <methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>extra_attributes</parameter><initializer>&null;</initializer></methodparam>
  </methodsynopsis>
  <para>
   <function>openssl_csr_new</function> 根据 <parameter>distinguished_names</parameter> 提供的信息生成新的 <acronym>CSR</acronym>（证书签名请求）。
  </para>
  &note.openssl.cnf;
 </refsect1>

 <refsect1 role="parameters">
  &reftitle.parameters;
  <para>
   <variablelist>
    <varlistentry>
     <term><parameter>distinguished_names</parameter></term>
     <listitem>
      <para>
       在证书中使用的专有名称或主题字段。
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>private_key</parameter></term>
     <listitem>
      <para>
       <parameter>private_key</parameter> 应该被设置为由 <function>openssl_pkey_new</function> 函数预先生成(或者以其他方式从 openssl_pkey 函数集中获得)的私钥。该密钥的相应公共部分将用于签署 <acronym>CSR</acronym>。
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>options</parameter></term>
     <listitem>
      <para>
       默认通过系统里的 <literal>openssl.conf</literal> 配置来初始化请求；可以通过设置 <parameter>options</parameter> 的 <literal>config_section_section</literal> 项来指定配置文件部分。
       还可以通过将 config 键的值设置为想要使用的文件路径来指定另一个 openssl 配置文件。如果在 <parameter>options</parameter> 中存在下列键，它们的行为就像在 <literal>openssl.conf</literal> 中一样。如下表所示：
       <table>
        <title>配置覆盖</title>
        <tgroup cols="3">
         <thead>
          <row>
           <entry><parameter>options</parameter> 键</entry>
           <entry>类型</entry>
           <entry>等同于 <literal>openssl.conf</literal></entry>
           <entry>描述</entry>
          </row>
         </thead>
         <tbody>
          <row>
           <entry>digest_alg</entry>
           <entry><type>string</type></entry>
           <entry>default_md</entry>
           <entry>摘要算法或签名哈希算法，通常是 <function>openssl_get_md_methods</function> 之一。</entry>
          </row>
          <row>
           <entry>x509_extensions</entry>
           <entry><type>string</type></entry>
           <entry>x509_extensions</entry>
           <entry>选择在创建 x509 证书时应该使用哪些扩展</entry>
          </row>
          <row>
           <entry>req_extensions</entry>
           <entry><type>string</type></entry>
           <entry>req_extensions</entry>
           <entry>创建 <acronym>CSR</acronym> 时，选择使用哪个扩展</entry>
          </row>
          <row>
           <entry>private_key_bits</entry>
           <entry><type>int</type></entry>
           <entry>default_bits</entry>
           <entry>指定应该使用多少位来生成私钥</entry>
          </row>
          <row>
           <entry>private_key_type</entry>
           <entry><type>int</type></entry>
           <entry>none</entry>
           <entry>选择在创建 CSR 时应该使用哪些扩展。可选值有
            <constant>OPENSSL_KEYTYPE_DSA</constant>、
            <constant>OPENSSL_KEYTYPE_DH</constant>、
            <constant>OPENSSL_KEYTYPE_RSA</constant> 或
            <constant>OPENSSL_KEYTYPE_EC</constant>。
            默认值是 <constant>OPENSSL_KEYTYPE_RSA</constant>。
           </entry>
          </row>
          <row>
           <entry>encrypt_key</entry>
           <entry><type>bool</type></entry>
           <entry>encrypt_key</entry>
           <entry>是否应该对导出的密钥（带有密码短语）进行加密?</entry>
          </row>
          <row>
           <entry>encrypt_key_cipher</entry>
           <entry><type>int</type></entry>
           <entry>none</entry>
           <entry>
            <link linkend="openssl.ciphers">cipher constants</link> 常量之一。
           </entry>
          </row>
          <row>
           <entry>curve_name</entry>
           <entry><type>string</type></entry>
           <entry>none</entry>
           <entry>
            <function>openssl_get_curve_names</function> 之一。
           </entry>
          </row>
          <row>
           <entry>config</entry>
           <entry><type>string</type></entry>
           <entry>N/A</entry>
           <entry>
            自定义 openssl.conf 文件的路径。
           </entry>
          </row>
         </tbody>
        </tgroup>
       </table>
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>extra_attributes</parameter></term>
     <listitem>
      <para>
       <parameter>extra_attributes</parameter> 用于为 <acronym>CSR</acronym> 指定额外的配置选项。<parameter>distinguished_names</parameter> 和
       <parameter>extra_attributes</parameter> 都是关联数组它们的键被转换成 OID，并应用到请求的相关部分。
      </para>
     </listitem>
    </varlistentry>
   </variablelist>
  </para>
 </refsect1>

 <refsect1 role="returnvalues">
  &reftitle.returnvalues;
  <para>
   成功，返回 <acronym>CSR</acronym>&return.falseforfailure;。
  </para>
 </refsect1>

 <refsect1 role="changelog">
  &reftitle.changelog;
  <informaltable>
   <tgroup cols="2">
    <thead>
     <row>
      <entry>&Version;</entry>
      <entry>&Description;</entry>
     </row>
    </thead>
    <tbody>
     <row>
      <entry>8.0.0</entry>
      <entry>
       成功时，此函数现在返回 <classname>OpenSSLCertificateSigningRequest</classname>
       实例；之前返回类型 <literal>OpenSSL X.509 CSR</literal> 的 &resource;。
      </entry>
     </row>
     <row>
      <entry>8.0.0</entry>
      <entry>
       <parameter>private_key</parameter> 现在接受 <classname>OpenSSLAsymmetricKey</classname>
       实例；之前接受类型 <literal>OpenSSL key</literal> 的 &resource;。
      </entry>
     </row>
     <row>
      <entry>7.1.0</entry>
      <entry>
       <parameter>options</parameter> 现在也支持 <literal>curve_name</literal>。
      </entry>
     </row>
    </tbody>
   </tgroup>
  </informaltable>
 </refsect1>

 <refsect1 role="examples">
  &reftitle.examples;
  <para>
   <example>
    <title>创建一个自签名的证书</title>
    <programlisting role="php">
<![CDATA[
<?php
// for SSL server certificates the commonName is the domain name to be secured
// for S/MIME email certificates the commonName is the owner of the email address
// location and identification fields refer to the owner of domain or email subject to be secured
$dn = array(
    "countryName" => "GB",
    "stateOrProvinceName" => "Somerset",
    "localityName" => "Glastonbury",
    "organizationName" => "The Brain Room Limited",
    "organizationalUnitName" => "PHP Documentation Team",
    "commonName" => "Wez Furlong",
    "emailAddress" => "wez@example.com"
);

// Generate a new private (and public) key pair
$privkey = openssl_pkey_new(array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
));

// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));

// Generate a self-signed cert, valid for 365 days
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));

// Save your private key, CSR and self-signed cert for later use
openssl_csr_export($csr, $csrout) and var_dump($csrout);
openssl_x509_export($x509, $certout) and var_dump($certout);
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);

// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
    echo $e . "\n";
}
?>
]]>
    </programlisting>
   </example>
   
   <example>
    <title>创建一个自签名的 ECC 证书（从 PHP 7.1.0 开始）</title>
    <programlisting role="php">
<![CDATA[
<?php
$subject = array(
    "commonName" => "docs.php.net",
);

// Generate a new private (and public) key pair
$private_key = openssl_pkey_new(array(
    "private_key_type" => OPENSSL_KEYTYPE_EC,
    "curve_name" => 'prime256v1',
));

// Generate a certificate signing request
$csr = openssl_csr_new($subject, $private_key, array('digest_alg' => 'sha384'));

// Generate self-signed EC cert
$x509 = openssl_csr_sign($csr, null, $private_key, $days=365, array('digest_alg' => 'sha384'));
openssl_x509_export_to_file($x509, 'ecc-cert.pem');
openssl_pkey_export_to_file($private_key, 'ecc-private.key');
?>
]]>
    </programlisting>
   </example>
   
   
  </para>
 </refsect1>

 <refsect1 role="seealso">
  &reftitle.seealso;
  <para>
   <simplelist>
    <member><function>openssl_csr_sign</function></member>
   </simplelist>
  </para>
 </refsect1>

</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->