PHPackages                             setasign/cloud-kms-csr - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. setasign/cloud-kms-csr

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

setasign/cloud-kms-csr
======================

Tools to create and update certificate signing requests (CSRs) and self-signed certificates with keys from cloud key management systems (AWS KMS and Google Cloud KMS)

v1.0.2(3mo ago)825.9k↓26%2[2 issues](https://github.com/Setasign/Cloud-KMS-CSR/issues)MITPHPPHP &gt;=8.1 &lt;=8.4.99999CI failing

Since Jan 25Pushed 1mo ago2 watchersCompare

[ Source](https://github.com/Setasign/Cloud-KMS-CSR)[ Packagist](https://packagist.org/packages/setasign/cloud-kms-csr)[ Docs](https://github.com/Setasign/Cloud-KMS-CSR)[ RSS](/packages/setasign-cloud-kms-csr/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (3)Dependencies (5)Versions (4)Used By (0)

Certificate signing request and self-signed certificate generator/updater for cloud Key Management Systems
==========================================================================================================

[](#certificate-signing-request-and-self-signed-certificate-generatorupdater-for-cloud-key-management-systems)

This project offers some PHP classes to use keys stored in [Amazon KMS](https://aws.amazon.com/kms/) or [Google Cloud KMS](https://cloud.google.com/security-key-management) to create certificate signing request (CSRs) and self-signed certificates (for testing purpose).

It is based on functionalities of the [SetaPDF-Signer](https://www.setasign.com/signer)component. The [SetaPDF-Signer](https://www.setasign.com/signer) component is a digital signature solution for PDF documents in pure PHP.

Both AWS KMS and Google Cloud KMS allow you to store your keys on hardware security modules (HSMs). By doing this you can request certificates from certificate authorities which validate through the [Adobe Approved Trust List](https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html)(AATL).

The resulting certificates can then be used with the modules for the [SetaPDF-Signer](https://www.setasign.com/signer) component:

- Module for [Amazon AWS KMS](https://github.com/Setasign/SetaPDF-Signer-Addon-AWS-KMS)
- Module for [Google Cloud KMS](https://github.com/Setasign/SetaPDF-Signer-Addon-Google-Cloud-KMS)

Installation
------------

[](#installation)

Add following to your composer.json:

```
{
    "require": {
        "setasign/cloud-kms-csr": "^1.0"
    },
    "repositories": [
        {
            "type": "composer",
            "url": "https://www.setasign.com/downloads/"
        }
    ]
}
```

and execute `composer update`. You need to define the `repository` to evaluate the dependency to the [SetaPDF-Signer](https://www.setasign.com/signer) component (see [here](https://getcomposer.org/doc/faqs/why-can%27t-composer-load-repositories-recursively.md)for more details).

The Setasign repository requires authentication data. Please check your personal [composer settings](https://www.setasign.com/my-setasign/composer-settings/) on our website for how to create authentication tokens.

Depending on what KMS service you want to use make sure that you setup the authentication for them:

- [Credentials for the AWS SDK for PHP Version 3](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html)
- [Google Cloud KMS Client Libraries](https://cloud.google.com/kms/docs/reference/libraries#setting_up_authentication)

We use authentication data from environment variables for demonstration purpose throughout.

How it works
------------

[](#how-it-works)

We implemented two classes representing a CSR and a X.509 certificate instance. They need to be initialized by an existing CSR or certificate. For creation of new CSRs or certificates there's a static `create()` method in both classes which uses standard OpenSSL functions to create the CSR and certificate.

Then there's an `update()` method that accepts either an instance of `AwsKMS\Updater` or `GoogleCloudKMS\Updater` as its parameter.

Internally all key information, algorithms and signature were updated with the use of the key stored in the KMS then.

For communication with the KMS services we use the official client libraries:

- [AWS SDK for PHP Version 3](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/welcome.html)
- [Google Cloud KMS for PHP](https://github.com/googleapis/google-cloud-php-kms)

Create a self-signed certificate
--------------------------------

[](#create-a-self-signed-certificate)

Before you start to request a real certificate from a certificate authority or you simply want to test the KMS service, you can create a self-signed certificated the following way:

### Google Cloud KMS

[](#google-cloud-kms)

In Google Cloud KMS all things like algorithm, hash and padding are configured in the key itself. So it is straight forward to create a self-signed certificate:

```