PHP 8.4.2 Released!

    openssl_pkey_new

    (PHP 4 >= 4.2.0, PHP 5, PHP 7, PHP 8)

    openssl_pkey_newGenerates a new private key

    Description

    openssl_pkey_new(?array $options = null): OpenSSLAsymmetricKey|false

    openssl_pkey_new() generates a new private key. How to obtain the public component of the key is shown in an example below.

    Note: You need to have a valid openssl.cnf installed for this function to operate correctly. See the notes under the installation section for more information.

    Parameters

    options

    It is possible to fine-tune the key generation (e.g. specifying the number of bits or parameters) using the options parameter. These options can either be algorithm-specific parameters used for key generation, or generic options used also in CSRgeneration if not specified. See openssl_csr_new() for more information about how to use options for a CSR. Among those options only private_key_bits, private_key_type, curve_name, and config are used for key generation. Algorithm-specific options are used if the associative array includes one of the specific keys.

    • "rsa" key for setting RSA parameters.
      options type format required description
      "n" string binary number yes modulus
      "e" string binary number no public exponent
      "d" string binary number yes private exponent
      "p" string binary number no prime 1
      "q" string binary number no prime 2
      "dmp1" string binary number no exponent1, d mod (p-1)
      "dmq1" string binary number no exponent2, d mod (q-1)
      "iqmp" string binary number no coefficient, (inverse of q) mod p
    • "dsa" key for setting DSA parameters.
      options type format required description
      "p" string binary number no prime number (public)
      "q" string binary number no 160-bit subprime, q | p-1 (public)
      "g" string binary number no generator of subgroup (public)
      "priv_key" string PEM key no private key x
      "pub_key" string PEM key no public key y = g^x
    • "dh" key for DH (Diffie–Hellman key exchange) parameters.
      Options Type Format Required Description
      "p" string binary number no prime number (shared)
      "g" string binary number no generator of Z_p (shared)
      "priv_key" string PEM key no private DH value x
      "pub_key" string PEM key no public DH value g^x
    • "ec" key for Elliptic curve parameters
      Options Type Format Required Description
      "curve_name" string name no name of curve, see openssl_get_curve_names()
      "p" string binary number no prime of the field for curve over Fp
      "a" string binary number no coofecient a of the curve for Fp: y^2 mod p = x^3 + ax + b mod p
      "b" string binary number no coofecient b of the curve for Fp: y^2 mod p = x^3 + ax + b mod p
      "seed" string binary number no optional random number seed used to generate coefficient b
      "generator" string binary encoded point no curve generator point
      "g_x" string binary number no curver generator point x coordinat
      "g_y" string binary number no curver generator point y coordinat
      "cofactor" string binary number no curve cofactor
      "order" string binary number no curve order
      "x" string binary number no x coordinate (public)
      "y" string binary number no y coordinate (public)
      "d" string binary number no private key
    • "x25519", "x448", "ed25519", "ed448" keys for Curve25519 and Curve448 parameters.
      Options Type Format Required Description
      "priv_key" string PEM key no private key
      "pub_key" string PEM key no public key

    Return Values

    Returns an OpenSSLAsymmetricKey instance for the pkey on success, or false on error.

    Changelog

    Version Description
    8.4.0 Added support for Curve25519 and Curve448 based keys with the introduction of the x25519, ed25519, x448, and ed448 fields.
    8.3.0 Added support for generation EC keys with custom EC parameters. Specifically with the introduction of the EC options: p, a, b, seed, generator, g_x, g_y, cofactor, and order.
    8.0.0 On success, this function returns an OpenSSLAsymmetricKey instance now; previously, a resource of type OpenSSL key was returned.
    7.1.0 The curve_name key of the options parameter was added to make it possible to create EC keys based on Elliptic Curve algorithms.

    Examples

    Example #1 Obtain the public key from a private key

    <?php

    $private_key     = openssl_pkey_new();

    $public_key_pem = openssl_pkey_get_details($private_key)['key'];
    echo     $public_key_pem, PHP_EOL;

    $public_key = openssl_pkey_get_public($public_key_pem);
    var_dump($public_key);

    ?>

    The above example will output something similar to:

    // Output prior to PHP 8.0.0; note, the function returns a resource
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknBFEherZe74BiRjTFA
hqwZ1SK7brwq7C/afnLXKhRR7jnrpfM0ypC46q8xz5UZswenZakJ7kd5fls+r4Bv
3P8XsKYLTh2m1GiWQhV1g77cNIN4qNWh70PiDO3fB2446o1LBgToQYuRZS5YQRfJ
rVD0ysgtVcCU9tjaey28HlgApOpYFTaaKPj2MBmEYpMC+kG2HhL12GfpHUi2eiXI
dXT2WskWHWvUrmQ7fJIfI92JlDokV62DH/q1oiedLs9OPNb0rL1aAmYdzaVN6XNH
x/o4Lh125v2vAPV9E3fZCDc/HDEUaahpjanMiCQEgEDp5Hr+CRkvERT5/ydN+p08
5wIDAQAB
-----END PUBLIC KEY-----

resource(6) of type (OpenSSL key)

// Output as of PHP 8.0.0; note, the function returns an object
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknBFEherZe74BiRjTFA
hqwZ1SK7brwq7C/afnLXKhRR7jnrpfM0ypC46q8xz5UZswenZakJ7kd5fls+r4Bv
3P8XsKYLTh2m1GiWQhV1g77cNIN4qNWh70PiDO3fB2446o1LBgToQYuRZS5YQRfJ
rVD0ysgtVcCU9tjaey28HlgApOpYFTaaKPj2MBmEYpMC+kG2HhL12GfpHUi2eiXI
dXT2WskWHWvUrmQ7fJIfI92JlDokV62DH/q1oiedLs9OPNb0rL1aAmYdzaVN6XNH
x/o4Lh125v2vAPV9E3fZCDc/HDEUaahpjanMiCQEgEDp5Hr+CRkvERT5/ydN+p08
5wIDAQAB
-----END PUBLIC KEY-----

object(OpenSSLAsymmetricKey)#2 (0) {
}

    Example #2 Generating RSA key from parameters

    <?php

    $nhex     = "BBF82F090682CE9C2338AC2B9DA871F7368D07EED41043A440D6B6F07454F51F" .
    "B8DFBAAF035C02AB61EA48CEEB6FCD4876ED520D60E1EC4619719D8A5B8B807F" .
    "AFB8E0A3DFC737723EE6B4B7D93A2584EE6A649D060953748834B2454598394E" .
    "E0AAB12D7B61A51F527A9A41F6C1687FE2537298CA2A8F5946F8E5FD091DBDCB";

    $ehex = "11";
    $dhex = "A5DAFC5341FAF289C4B988DB30C1CDF83F31251E0668B42784813801579641B2" .
    "9410B3C7998D6BC465745E5C392669D6870DA2C082A939E37FDCB82EC93EDAC9" .
    "7FF3AD5950ACCFBC111C76F1A9529444E56AAF68C56C092CD38DC3BEF5D20A93" .
    "9926ED4F74A13EDDFBE1A1CECC4894AF9428C2B7B8883FE4463A4BC85B1CB3C1";

    $phex = "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632" .
    "124EF0236E5D1E3B7E28FAE7AA040A2D5B252176459D1F397541BA2A58FB6599";

    $qhex = "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D86" .
    "9840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503";

    $dphex = "11";
    $dqhex = "11";
    $qinvhex = "b06c4fdabb6301198d265bdbae9423b380f271f73453885093077fcd39e2119f" .
    "c98632154f5883b167a967bf402b4e9e2e0f9656e698ea3666edfb25798039f7";

    $rsa= openssl_pkey_new([
    'rsa' => [
    'n' => hex2bin($nhex),
    'e' => hex2bin($ehex),
    'd' => hex2bin($dhex),
    'p' => hex2bin($phex),
    'q' => hex2bin($qhex),
    'dmp1' => hex2bin($dphex),
    'dmq1' => hex2bin($dqhex),
    'iqmp' => hex2bin($qinvhex),
    ],
    ]);
    $details = openssl_pkey_get_details($rsa);
    var_dump($details);

    ?>

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 7 notes

    up
    50
    dirt at awoms dot com
    11 years ago
    Working example:

    $config = array(
    "digest_alg" => "sha512",
    "private_key_bits" => 4096,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    );

    // Create the private and public key
    $res = openssl_pkey_new($config);

    // Extract the private key from $res to $privKey
    openssl_pkey_export($res, $privKey);

    // Extract the public key from $res to $pubKey
    $pubKey = openssl_pkey_get_details($res);
    $pubKey = $pubKey["key"];

    $data = 'plaintext data goes here';

    // Encrypt the data to $encrypted using the public key
    openssl_public_encrypt($data, $encrypted, $pubKey);

    // Decrypt the data using the private key and store the results in $decrypted
    openssl_private_decrypt($encrypted, $decrypted, $privKey);

    echo $decrypted;
    up
    18
    gomez dot alejandre at gmail dot com
    6 years ago
    Not forget the $configArgs for windows users :D, or the method throws a error with the primary key

    //write your configurations :D
    $configargs = array(
    "config" => "C:/xampp/php/extras/openssl/openssl.cnf",
    'private_key_bits'=> 2048,
    'default_md' => "sha256",
    );

    // Create the keypair
    $res=openssl_pkey_new($configargs);
    // Get private key
    openssl_pkey_export($res, $privKey,NULL,$configargs);

    and it's for all methods ._ .

    a full implementation example here.

    https://gist.github.com/DuckHunter213/269a0efd17e709f7f1f177ae7da46ad1

    this error take me 3 full days you'r welcome :)
    up
    13
    scott at brynen dot com
    9 years ago
    If you try and generate a new key using openssl_pkey_new(), and need to specify the size of the key, the key MUST be type-bound to integer

    // works
    $keysize = 1024;
    $ssl = openssl_pkey_new (array('private_key_bits' => $keysize));

    // fails
    $keysize = "1024";
    $ssl = openssl_pkey_new (array('private_key_bits' => $keysize));

    // works (force to int)
    $keysize = "1024";
    $ssl = openssl_pkey_new (array('private_key_bits' => (int)$keysize));
    up
    3
    Andrew
    3 years ago
    It's not documented here but you can also create ECC keys from existing key parameters (e.g. from JWK):

    <?php
    $key     = openssl_pkey_new([
    'ec' => [
    'curve_name' => 'prime256v1',
    'x' => $someXValue,
    'y' => $someYValue,
    'd' => $someDValue
    ]
    ]);
    ?>

    You can just provide x/y if it's a public key, or you can just provide d if it's a private key.
    up
    5
    Brad
    16 years ago
    It's easier than all that, if you just want the keys:

    <?php
    // Create the keypair
    $res=openssl_pkey_new();

    // Get private key
    openssl_pkey_export($res, $privkey);

    // Get public key
    $pubkey=openssl_pkey_get_details($res);
    $pubkey=$pubkey["key"];
    ?>
    up
    0
    Jan
    5 years ago
    In case this function returns false, then check your openssl.cnf and make sure that in the [req] section of this file the entry default_bits is not commented out.
    up
    -1
    dodginess at yahoo dot com
    7 years ago
    If you're using openssl_pkey_new() in conjunction with openssl_csr_new() and want to change the CSR digest algorithm as well as specify a custom key size, the configuration override should be defined once and sent to both functions:

    <?php
    $config     = array(
    'digest_alg' => 'sha1',
    'private_key_bits' => 2048,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    );

    $privkey = openssl_pkey_new($config);

    $csr = openssl_csr_new($dn, $privkey, $config);
    ?>

    Although openssl_pkey_new() will accept the 'digest_alg' argument it won't use it, and setting the value has no effect unless you also set this value for openssl_csr_new(). The reason for this is that the $config array is acting as a drop-in replacement for the values found in the openssl.cnf file, so it must contain all of the override values that you need even if the function they're being sent to won't use them.

    Also, if you change the 'digest_alg' to something like 'sha256' and still get an MD5 signed CSR check your openssl.cnf file to see whether the digest algorithm you want to use is actually supported.
    add a note
    To Top