OpenSSL Functions
PHP Manual

openssl_pkey_new

Generates a new private key

Description

OpenSSLAsymmetricKeyfalse openssl_pkey_new(arraynull $options = null)

openssl_pkey_new generates a new private key. How to obtain the public component of the key is shown in an example below.

Note: You need to have a valid openssl.cnf installed for this function to operate correctly. See the notes under the installation section for more information.

Parameters

options

It is possible to fine-tune the key generation (e.g. specifying the number of bits or parameters) using the options parameter. These options can either be algorithm-specific parameters used for key generation, or generic options used also in CSRgeneration if not specified. See openssl_csr_new for more information about how to use options for a CSR. Among those options only private_key_bits, private_key_type, curve_name, and config are used for key generation. Algorithm-specific options are used if the associative array includes one of the specific keys.

  • "rsa" key for setting RSA parameters.
    options type format required description
    "n" string binary number yes modulus
    "e" string binary number no public exponent
    "d" string binary number yes private exponent
    "p" string binary number no prime 1
    "q" string binary number no prime 2
    "dmp1" string binary number no exponent1, d mod (p-1)
    "dmq1" string binary number no exponent2, d mod (q-1)
    "iqmp" string binary number no coefficient, (inverse of q) mod p
  • "dsa" key for setting DSA parameters.
    options type format required description
    "p" string binary number no prime number (public)
    "q" string binary number no 160-bit subprime, q | p-1 (public)
    "g" string binary number no generator of subgroup (public)
    "priv_key" string PEM key no private key x
    "pub_key" string PEM key no public key y = g^x
  • "dh" key for DH (Diffie–Hellman key exchange) parameters.
    Options Type Format Required Description
    "p" string binary number no prime number (shared)
    "g" string binary number no generator of Z_p (shared)
    "priv_key" string PEM key no private DH value x
    "pub_key" string PEM key no public DH value g^x
  • "ec" key for Elliptic curve parameters
    Options Type Format Required Description
    "curve_name" string name no name of curve, see openssl_get_curve_names
    "p" string binary number no prime of the field for curve over Fp
    "a" string binary number no coofecient a of the curve for Fp: y^2 mod p = x^3 + ax + b mod p
    "b" string binary number no coofecient b of the curve for Fp: y^2 mod p = x^3 + ax + b mod p
    "seed" string binary number no optional random number seed used to generate coefficient b
    "generator" string binary encoded point no curve generator point
    "g_x" string binary number no curver generator point x coordinat
    "g_y" string binary number no curver generator point y coordinat
    "cofactor" string binary number no curve cofactor
    "order" string binary number no curve order
    "x" string binary number no x coordinate (public)
    "y" string binary number no y coordinate (public)
    "d" string binary number no private key
  • "x25519", "x448", "ed25519", "ed448" keys for Curve25519 and Curve448 parameters.
    Options Type Format Required Description
    "priv_key" string PEM key no private key
    "pub_key" string PEM key no public key

Return Values

Returns an OpenSSLAsymmetricKey instance for the pkey on success, or false on error.

Changelog

Version Description
8.4.0 Added support for Curve25519 and Curve448 based keys with the introduction of the x25519, ed25519, x448, and ed448 fields.
8.3.0 Added support for generation EC keys with custom EC parameters. Specifically with the introduction of the EC options: p, a, b, seed, generator, g_x, g_y, cofactor, and order.
8.0.0 On success, this function returns an OpenSSLAsymmetricKey instance now; previously, a resource of type OpenSSL key was returned.
7.1.0 The curve_name key of the options parameter was added to make it possible to create EC keys based on Elliptic Curve algorithms.

Examples

Example #1 Obtain the public key from a private key

<?php

$private_key = openssl_pkey_new();

$public_key_pem = openssl_pkey_get_details($private_key)['key'];
echo $public_key_pem, PHP_EOL;

$public_key = openssl_pkey_get_public($public_key_pem);
var_dump($public_key);

?>

The above example will output something similar to:

// Output prior to PHP 8.0.0; note, the function returns a resource
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknBFEherZe74BiRjTFA
hqwZ1SK7brwq7C/afnLXKhRR7jnrpfM0ypC46q8xz5UZswenZakJ7kd5fls+r4Bv
3P8XsKYLTh2m1GiWQhV1g77cNIN4qNWh70PiDO3fB2446o1LBgToQYuRZS5YQRfJ
rVD0ysgtVcCU9tjaey28HlgApOpYFTaaKPj2MBmEYpMC+kG2HhL12GfpHUi2eiXI
dXT2WskWHWvUrmQ7fJIfI92JlDokV62DH/q1oiedLs9OPNb0rL1aAmYdzaVN6XNH
x/o4Lh125v2vAPV9E3fZCDc/HDEUaahpjanMiCQEgEDp5Hr+CRkvERT5/ydN+p08
5wIDAQAB
-----END PUBLIC KEY-----

resource(6) of type (OpenSSL key)

// Output as of PHP 8.0.0; note, the function returns an object
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknBFEherZe74BiRjTFA
hqwZ1SK7brwq7C/afnLXKhRR7jnrpfM0ypC46q8xz5UZswenZakJ7kd5fls+r4Bv
3P8XsKYLTh2m1GiWQhV1g77cNIN4qNWh70PiDO3fB2446o1LBgToQYuRZS5YQRfJ
rVD0ysgtVcCU9tjaey28HlgApOpYFTaaKPj2MBmEYpMC+kG2HhL12GfpHUi2eiXI
dXT2WskWHWvUrmQ7fJIfI92JlDokV62DH/q1oiedLs9OPNb0rL1aAmYdzaVN6XNH
x/o4Lh125v2vAPV9E3fZCDc/HDEUaahpjanMiCQEgEDp5Hr+CRkvERT5/ydN+p08
5wIDAQAB
-----END PUBLIC KEY-----

object(OpenSSLAsymmetricKey)#2 (0) {
}

Example #2 Generating RSA key from parameters

<?php

$nhex = "BBF82F090682CE9C2338AC2B9DA871F7368D07EED41043A440D6B6F07454F51F" .
        "B8DFBAAF035C02AB61EA48CEEB6FCD4876ED520D60E1EC4619719D8A5B8B807F" .
        "AFB8E0A3DFC737723EE6B4B7D93A2584EE6A649D060953748834B2454598394E" .
        "E0AAB12D7B61A51F527A9A41F6C1687FE2537298CA2A8F5946F8E5FD091DBDCB";

$ehex = "11";
$dhex = "A5DAFC5341FAF289C4B988DB30C1CDF83F31251E0668B42784813801579641B2" .
        "9410B3C7998D6BC465745E5C392669D6870DA2C082A939E37FDCB82EC93EDAC9" .
        "7FF3AD5950ACCFBC111C76F1A9529444E56AAF68C56C092CD38DC3BEF5D20A93" .
        "9926ED4F74A13EDDFBE1A1CECC4894AF9428C2B7B8883FE4463A4BC85B1CB3C1";

$phex = "EECFAE81B1B9B3C908810B10A1B5600199EB9F44AEF4FDA493B81A9E3D84F632" .
        "124EF0236E5D1E3B7E28FAE7AA040A2D5B252176459D1F397541BA2A58FB6599";

$qhex = "C97FB1F027F453F6341233EAAAD1D9353F6C42D08866B1D05A0F2035028B9D86" .
        "9840B41666B42E92EA0DA3B43204B5CFCE3352524D0416A5A441E700AF461503";

$dphex = "11";
$dqhex = "11";
$qinvhex = "b06c4fdabb6301198d265bdbae9423b380f271f73453885093077fcd39e2119f" .
           "c98632154f5883b167a967bf402b4e9e2e0f9656e698ea3666edfb25798039f7";

$rsa= openssl_pkey_new([
    'rsa' => [
        'n' => hex2bin($nhex),
        'e' => hex2bin($ehex),
        'd' => hex2bin($dhex),
        'p' => hex2bin($phex),
        'q' => hex2bin($qhex),
        'dmp1' => hex2bin($dphex),
        'dmq1' => hex2bin($dqhex),
        'iqmp' => hex2bin($qinvhex),
    ],
]);
$details = openssl_pkey_get_details($rsa);
var_dump($details);

?>