View Source X509.CSR (X509 v0.8.7)
Implements PKCS#10 Certificate Signing Requests (CSRs), formally known by their ASN.1 type CertificationRequest.
Link to this section Summary
Functions
Returns the certificate extensions from the extensionRequest
attribute.
Parses a CSR in DER (binary) format.
Attempts to parse a CSR in DER (binary) format. Raises in case of failure.
Parses a CSR in PEM format.
Attempts to parse a CSR in PEM format. Raises in case of failure.
Returns a :CertificationRequest
record for the given key pair and subject.
Extracts the public key from the CSR.
Returns the Subject field of the CSR.
Converts a CSR to DER (binary) format.
Converts a CSR to PEM format.
Verifies whether a CSR has a valid signature.
Link to this section Types
@opaque t()
:CertificationRequest
record , as used in Erlang's :public_key
module
Link to this section Functions
@spec extension_request(t()) :: X509.RDNSequence.t()
Returns the certificate extensions from the extensionRequest
attribute.
Parses a CSR in DER (binary) format.
Returns an :ok
tuple in case of success, or an :error
tuple in case of
failure. Possible error reasons are:
:malformed
- the data could not be decoded as a CSR
Attempts to parse a CSR in DER (binary) format. Raises in case of failure.
Parses a CSR in PEM format.
Processes the first PEM entry of type CERTIFICATE REQUEST found in the input.
Returns an :ok
tuple in case of success, or an :error
tuple in case of
failure. Possible error reasons are:
:not_found
- no PEM entry of type CERTIFICATE REQUEST was found:malformed
- the entry could not be decoded as a CSR
Attempts to parse a CSR in PEM format. Raises in case of failure.
Processes the first PEM entry of type CERTIFICATE REQUEST found in the input.
@spec new( X509.PrivateKey.t() | :crypto.engine_key_ref(), String.t() | X509.RDNSequence.t(), Keyword.t() ) :: t()
Returns a :CertificationRequest
record for the given key pair and subject.
Supports RSA and EC private keys. The public key is extracted from the private key (unless overridden; see Options below) and encoded, together with the subject, in the CSR. The CSR is then signed with the private key, using a configurable hash algorithm.
The private key may be specified as an 'engine reference'. Please refer to
documentation for Erlang/OTP's :crypto
application for further information
about engines.
The default hash algorithm is :sha256
. An alternative algorithm can be
specified using the :hash
option. Possible values include :sha224
,
:sha256
, :sha384
, :sha512
.
Older hash algorithms, supported for compatibility with older software only,
include :md5
(RSA only) and :sha
. The use of these algorithms is
discouraged.
options
Options:
:hash
- the hashing algorithm to use when signing the CSR (default::sha256
):extension_request
- a list of certificate extensions to be included as anextensionRequest
attribute (seeX509.Certificate.Extension
):public_key
- the public key to include in the CSR; by default the public key is derived from the private key, but if that does not work (for certain private keys stored in an 'engine') it can be useful to override the value using this option (default: from private key)
example
Example:
iex> priv = X509.PrivateKey.new_ec(:secp256r1)
iex> csr = X509.CSR.new(priv, "/C=US/ST=NT/L=Springfield/O=ACME Inc.",
...> extension_request: [
...> X509.Certificate.Extension.subject_alt_name(["www.example.net"])
...> ]
...> )
iex> X509.CSR.valid?(csr)
true
@spec public_key(t()) :: X509.PublicKey.t()
Extracts the public key from the CSR.
@spec subject(t()) :: X509.RDNSequence.t()
Returns the Subject field of the CSR.
Converts a CSR to DER (binary) format.
Converts a CSR to PEM format.
Verifies whether a CSR has a valid signature.