NAME
Crypt::Perl::PKCS10 - Certificate Signing Request (CSR) creation
SYNOPSIS
my $pkcs10 = Crypt::Perl::PKCS10->new(
key => $private_key_obj,
subject => [
commonName => 'foo.com',
localityName => 'somewhere',
#...
],
attributes => [
[ 'extensionRequest',
[ 'subjectAltName',
[ dNSName => 'foo.com' ],
[ dNSName => 'bar.com' ],
],
],
],
);
my $der = $pkcs10->to_der();
my $pem = $pkcs10->to_pem();
DESCRIPTION
This module is for creation of (PKCS #10) certificate signing requests (CSRs). Right now it supports only a subset of what OpenSSL can create; however, it’s useful enough for use with many certificate authorities, including ACME services like Let’s Encrypt.
It’s also a good deal easier to use!
I believe this is the only CPAN module that can create CSRs for RSA, ECDSA, and Ed25519 keys. Other encryption schemes would not be difficult to integrate—but do any CAs accept them?
ECDSA KEY FORMAT
After a brief flirtation (cf. v0.13) with producing ECDSA-signed CSRs using explicit curve parameters, this module produces CSRs using named curves. Certificate authorities seem to prefer this format—which makes sense since they only allow certain curves in the first place.
SIGNATURE DIGEST ALGORITHMS
The signature digest algorithm is determined based on the passed-in key: for RSA it’s always SHA-512, and for ECDSA it’s the strongest SHA digest algorithm that the key allows (e.g., SHA-224 for a 239-bit key, etc.)
If you need additional flexibility, let me know.
(Note that Ed25519 signs an entire document rather than a digest.)
CLASS METHODS
new( NAME => VALUE, ... );
Create an instance of this class. Parameters are:
key
- An instance ofCrypt::Perl::RSA::PrivateKey
,Crypt::Perl::ECDSA::PrivateKey
, orCrypt::Perl::Ed25519::PrivateKey
. If you’ve got a DER- or PEM-encoded key string, use Crypt::Perl::PK (included in this distribution) to create an appropriate object.subject
- An array reference of arguments into Crypt::Perl::X509::Name’s constructor.attributes
- An array reference of arguments into Crypt::Perl::PKCS10::Attributes’s constructor.
TODO
Let me know what features you would find useful, ideally with a representative sample CSR that demonstrates the requested feature. (Or, better yet, send me a pull request!)
SEE ALSO
Crypt::PKCS10 - Parse CSRs, in pure Perl.
Crypt::OpenSSL::PKCS10 - Create CSRs using OpenSSL via XS. Currently this only seems to support RSA.