CODEWITHSUNDEEP
phpsslopensslcsr
user1717483
user1717483

Reputation: 121

Generate 2048 bit and password protected csr?

I'm trying to generate a CSR via PHP. But the CA keeps denying my CSR since they say its not 2048 bits and not protected with a password. But when I look in the PHP documentation for the function openssl_csr_new() I can't find how to do it?

My current code:

$dn = array(
                   'countryName' => $countryName,
                   'stateOrProvinceName' => $stateOrProvinceName,
                   'localityName' => $localityName,
                   'organizationName' => $organizationName,
                   'commonName' => $commonName,
                   'emailAddress' => $emailAddress
               );

               if(!empty($organizationalUnitName))
               $dn['organizationalUnitName'] = $organizationalUnitName;

               $csrSettings = array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true);

               // Generate a new private (and public) key pair
               $privkey = openssl_pkey_new($csrSettings);

               // Generate a certificate signing request
               $csr = openssl_csr_new($dn, $privkey, $csrSettings);
               openssl_csr_export($csr, $csrout);
               openssl_pkey_export($privkey, $pkeyout);

What am I doing wrong?

------ Updated code: -------

$dn = array(
               'countryName' => $countryName,
               'stateOrProvinceName' => $stateOrProvinceName,
               'localityName' => $localityName,
               'organizationName' => $organizationName,
               'commonName' => $commonName,
               'emailAddress' => $emailAddress
           );

           if(!empty($organizationalUnitName))
           $dn['organizationalUnitName'] = $organizationalUnitName;

           $csrSettings = array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true);

           // Generate a new private (and public) key pair
           $privkey = openssl_pkey_new($csrSettings);

           // Generate a certificate signing request
           openssl_pkey_export($privkey, $pkeyout, 'test 1235 aaaaa');

           $csr = openssl_csr_new($dn, $pkeyout, $csrSettings);
           openssl_csr_export($csr, $csrout);

Upvotes: 1

Views: 2533

Answers (2)

rishadan
rishadan

Reputation: 11

With phpseclib, a pure PHP CSR implementation,

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$privKey = new Crypt_RSA();
extract($privKey->createKey(2048));
$privKey->loadKey($privatekey);

$x509 = new File_X509();
$x509->setPrivateKey($privKey);
$x509->setDNProp('id-at-organizationName', 'phpseclib demo cert');

$csr = $x509->signCSR();

echo $x509->saveCSR($csr);
?>

You can't password protect CSR's, however. You can password protect the private key but you shouldn't be sharing the private key with the CA anyway.

If the CA insists that you can ask them for an example of how you can do so with OpenSSL via the CLI. Maybe they're just not being very clear about what they mean but having the CLI command will let us know for sure.

Upvotes: 1

Mike
Mike

Reputation: 24393

You've got the order all wrong and for some reason you're doing openssl_pkey_new() twice. I would highly suggest that you go through the documentation and actually understand what all of these functions can do because your website's security depends on it. This is what you want:

$dn = array(
    'countryName' => $countryName,
    'stateOrProvinceName' => $stateOrProvinceName,
    'localityName' => $localityName,
    'organizationName' => $organizationName,
    'commonName' => $commonName,
    'emailAddress' => $emailAddress
);

$csrSettings = array('private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true);

// Generate a new private (and public) key pair
$privkey = openssl_pkey_new($csrSettings);

// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey, $csrSettings);

openssl_csr_export($csr, $csrout);
openssl_pkey_export($privkey, $pkeyout, "test 1235 aaaaa");

echo $csrout . "\n" . $pkeyout;

Output example:

-----BEGIN CERTIFICATE REQUEST-----
MIIC9DCCAdwCAQAwga4xCzAJBgNVBAYTAlVLMREwDwYDVQQIDAhTb21lcnNldDEU
MBIGA1UEBwwLR2xhc3RvbmJ1cnkxHzAdBgNVBAoMFlRoZSBCcmFpbiBSb29tIExp
bWl0ZWQxHzAdBgNVBAsMFlBIUCBEb2N1bWVudGF0aW9uIFRlYW0xFDASBgNVBAMM
C1dleiBGdXJsb25nMR4wHAYJKoZIhvcNAQkBFg93ZXpAZXhhbXBsZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxugfpijCe8iDfbGby4N9wzaZ
vM6KyWUYL+KtdQsc2O/2z/zoiiSe54ikcYO8Cw1evUP16MKnkV9DQJwsUvY8+4C3
IviXpcXRcJ7CsWxwApDHd5j6JbgyfYvrb5EEN1iLM2OZn62QV1XZc+z+5yruxJ6Q
q4M2xpgjtEUyz7d7U6ax+uWW3zop5SfsREAqpGedBmevFs3UIeComOzwKfFbw/a1
Bc6VZ9PXUOVjSYEe8aVkHfRlKsUVUnkYOMoX9PYD84exuIeei8Z9prKU/x31lRj8
ktieFohQJqB5ziA+BwKwwqpgn23awPJ+O3xzUVWYodU01rRrzfyUSfHNVCZrAgMB
AAGgADANBgkqhkiG9w0BAQQFAAOCAQEAinjiPwfIcoXcA7wcJ86QnOAIQEjvrbda
ndyP7n/ol7ROjS/QoEciFeSw7y3/NFE8C5O6Io2rLuMrncHc2PjMgw8C23xBecjb
L+Yf76ZndadOznTURTVrkFCtKKRgjcF+YOXWfGZb35wkaxth/DKPjaofcNkg9UQy
SrjNKyrhRD9bVPvCkBr5mpFo8WdQyEFLoHogDP2NbK2COAc1Ip4ZFfktv3lCcg7h
cnd2zEp4YmmomdE/1TVh+xF//pO+TP7HZtnEP7FysY7uYbF24bH/TO/WSrIAg+Ls
KUxufDlOhzwQPp1LAYGDAQal7lpXEyqMKJ4BsKDqiftnfC0OWXRyCg==
-----END CERTIFICATE REQUEST-----

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIJdTmCR5euNICAggA
MBQGCCqGSIb3DQMHBAhRp+IcQK5cnQSCBMgEwH8TIgADYq6/WZEHw7RfPdf5bnEi
oCBuqps0JtnIf8BolaqV71HQGVRszbPvjFrWVCjB0hX+RzhlGTJA6KQXSp+QFp3E
gIX+cWdfTrknuM6QoZH5DPhUCqZi+gF4Oe/nzaBdDY0bq+hKqDyHk2WFDx+JLujs
QN4Z/Q+5NzboUQuEHc2Ts09g6yyEyaZBfsaK/KbWxFe+UC/ahzbqWbv4eQYS3TmZ
gE/RzE2iU+SulHmiq1AXUFZE9uIAwRM53X/5lW1Tt3qRFB7jEnp0smOe+HCKDwTo
UcifAlMKj05S62DJAFSzc1TsGpGMJYMq/QcU70+J+DAZ6Pt/50DMNBMfhMxW1B2O
6FT8i/lDofNhQOuDD6xOvFHMaM6JoAGjC/lBulEfSOPysaRNb8ZO75CWjsVHeMfP
lSPyPfF4kAcQVV39xa0bi5tE4t2fUJ1FlhsNg/ooUDa3GV6rx8y+2+pQ/iW6DmYg
OcPDhwpGgUwfptHQcoQeR4imcsNWVAD/Hf53RrtqFCdHd9GsfdIegW6jFitpgICA
7wqIYS8OjBZxB6lzGZz/nfHUYqzxB1wI26ySUXjk3scRwupF0jLWWVpHZ4Sq4XiX
LN6PPsBZXqh1HbaP/CbiQyTRJPNMBY/+duwXzaUEWI7qGaEYWbiYLqyl3wq46ZXj
qFZXhysR5YnvKmeVrdMI+lsuPosS3v+d5fzt8IqVFIf9EwZoE9ZRw9r9oqYiJjSe
L4brzW9HBm6v9U1CGGlylpP9Q4auIs0rctyuM3kRWdPDsss0aoLBDDegHi9BQ1Ph
SUkaLpW2tQXGVhlAYd8M/6Oj70IVsKboNR2DjfY3Te9ltIHGoDxj3Gsdc9+kMwyl
20Cs86dQX5hQWVB0VY2YGItooOsCpvsMBfb9VUlgTCQjHwf4ClLlrxjTv/e81i8u
kdja1sbjeqYSrW3WS4k/jyrKuUVp4NjtYG2JWZjTzpOF2Fs/j9NJVAhtsBx81wXt
89jSiCGS4dniuoDJ9U+wXLpnpDdVRF3Og5Wss+iLBinGwNyvUVx1ph1MoLRbIedL
N79JaucEIV9pFfptM/je26HmNKbTpF1tYc8R4U22sUbms3+AOjDaU2Y6iT62RwnM
zDQEQ6890q/f8EFJkb3Y38j0tObolJM/dyMQigziqHysebfNEiwqg5Ij93kHzOK5
JQF5P/L3efUOV40Cn3ndkiKAtLWgFubqQ4fD0MOwSHIKBv+PxnY2eXJRb4/x3AEo
KvJwvN9HB1znueQN5bMx0OyqR/sdy5zZ4w4pDI+asgNy/+B7qk56Jf5WpXvsPGAi
Wd6TmGX3DY/u2cRJ7cjMmnAsJ1xT4s3z0vJYMcOrdA1hLv0sI7TyRkBJTua4QjIc
v+pz79LQt1CYHTdzG+qtL1X2SU+61bqlncgy+Yhn42g59KGYmGFGWH7CuuJCI5eg
VWwMCCWQgH2Tg2PZiptC2rVzgv8aM+H4QpaI8th40UszPJt17HK9Ad1pJ2TYqryI
77IBIcHWl8Yp+Zr5nGaIJxPNv/XAKOGo8VGHM9U0YnsaRsPW5z8bwKD3TIApRQBL
Ok60tTIlqDoBIB6/o9G02MLeTx9ycfssUVzTIUn9pQR6PBiERhtxb1Sh42xDJVof
zt4=
-----END ENCRYPTED PRIVATE KEY-----

Upvotes: 0

Related Questions