@spec extension_request(t()) :: X509.RDNSequence.t()

Returns the certificate extensions from the extensionRequest attribute.

@spec from_der(binary()) :: {:ok, t()} | {:error, :malformed}

Parses a CSR in DER (binary) format.

Returns an :ok tuple in case of success, or an :error tuple in case of failure. Possible error reasons are:

• :malformed - the data could not be decoded as a CSR

@spec from_der!(binary()) :: t() | no_return()

Attempts to parse a CSR in DER (binary) format. Raises in case of failure.

@spec from_pem(String.t()) :: {:ok, t()} | {:error, :malformed | :not_found}

Parses a CSR in PEM format.

Processes the first PEM entry of type CERTIFICATE REQUEST found in the input. Returns an :ok tuple in case of success, or an :error tuple in case of failure. Possible error reasons are:

• :not_found - no PEM entry of type CERTIFICATE REQUEST was found
• :malformed - the entry could not be decoded as a CSR

@spec from_pem!(String.t()) :: t() | no_return()

Attempts to parse a CSR in PEM format. Raises in case of failure.

Processes the first PEM entry of type CERTIFICATE REQUEST found in the input.

@spec new(
  X509.PrivateKey.t() | :crypto.engine_key_ref(),
  String.t() | X509.RDNSequence.t(),
  Keyword.t()
) :: t()

Returns a :CertificationRequest record for the given key pair and subject.

Supports RSA and EC private keys. The public key is extracted from the private key (unless overridden; see Options below) and encoded, together with the subject, in the CSR. The CSR is then signed with the private key, using a configurable hash algorithm.

The private key may be specified as an 'engine reference'. Please refer to documentation for Erlang/OTP's :crypto application for further information about engines.

The default hash algorithm is :sha256. An alternative algorithm can be specified using the :hash option. Possible values include :sha224, :sha256, :sha384, :sha512.

Older hash algorithms, supported for compatibility with older software only, include :md5 (RSA only) and :sha. The use of these algorithms is discouraged.

options

Options:

• :hash - the hashing algorithm to use when signing the CSR (default: :sha256)
• :extension_request - a list of certificate extensions to be included as an extensionRequest attribute (see X509.Certificate.Extension)
• :public_key - the public key to include in the CSR; by default the public key is derived from the private key, but if that does not work (for certain private keys stored in an 'engine') it can be useful to override the value using this option (default: from private key)

example

Example:

  iex> priv = X509.PrivateKey.new_ec(:secp256r1)
  iex> csr = X509.CSR.new(priv, "/C=US/ST=NT/L=Springfield/O=ACME Inc.",
  ...>   extension_request: [
  ...>     X509.Certificate.Extension.subject_alt_name(["www.example.net"])
  ...>   ]
  ...> )
  iex> X509.CSR.valid?(csr)
  true

@spec public_key(t()) :: X509.PublicKey.t()

Extracts the public key from the CSR.

@spec subject(t()) :: X509.RDNSequence.t()

Returns the Subject field of the CSR.

@spec to_der(t()) :: binary()

Converts a CSR to DER (binary) format.

@spec to_pem(t()) :: String.t()

Converts a CSR to PEM format.

@spec valid?(t()) :: boolean()

Verifies whether a CSR has a valid signature.