{"id":18765323,"url":"https://github.com/setasign/cloud-kms-csr","last_synced_at":"2025-09-11T13:42:37.623Z","repository":{"id":37979253,"uuid":"330927532","full_name":"Setasign/Cloud-KMS-CSR","owner":"Setasign","description":"Certificate signing request and self-signed certificate generator/updater for cloud Key Management Systems","archived":false,"fork":false,"pushed_at":"2024-12-06T10:31:15.000Z","size":115,"stargazers_count":7,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-28T22:09:36.143Z","etag":null,"topics":["aatl","cloud","csr","kms","signature","x509"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Setasign.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-01-19T09:27:52.000Z","updated_at":"2024-12-05T16:41:09.000Z","dependencies_parsed_at":"2024-01-16T10:30:04.237Z","dependency_job_id":"e0cee26d-bd06-4fb2-995a-7ede9e6b503a","html_url":"https://github.com/Setasign/Cloud-KMS-CSR","commit_stats":{"total_commits":32,"total_committers":4,"mean_commits":8.0,"dds":0.40625,"last_synced_commit":"09cb5394e280b128cb018b9cd75d02ed2e744d49"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Setasign/Cloud-KMS-CSR","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Setasign%2FCloud-KMS-CSR","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Setasign%2FCloud-KMS-CSR/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Setasign%2FCloud-KMS-CSR/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Setasign%2FCloud-KMS-CSR/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Setasign","download_url":"https://codeload.github.com/Setasign/Cloud-KMS-CSR/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Setasign%2FCloud-KMS-CSR/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274647965,"owners_count":25324293,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-11T02:00:13.660Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aatl","cloud","csr","kms","signature","x509"],"created_at":"2024-11-07T18:33:34.114Z","updated_at":"2025-09-11T13:42:37.595Z","avatar_url":"https://github.com/Setasign.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Certificate signing request and self-signed certificate generator/updater for cloud Key Management Systems\n\nThis project offers some PHP classes to use keys stored in \n[Amazon KMS](https://aws.amazon.com/kms/) or \n[Google Cloud KMS](https://cloud.google.com/security-key-management) to create\ncertificate signing request (CSRs) and self-signed certificates (for testing purpose).\n\nIt is based on functionalities of the [SetaPDF-Signer](https://www.setasign.com/signer)\ncomponent. The [SetaPDF-Signer](https://www.setasign.com/signer) component is a digital\nsignature solution for PDF documents in pure PHP.\n\nBoth AWS KMS and Google Cloud KMS allow you to store your keys on hardware security\nmodules (HSMs). By doing this you can request certificates from certificate\nauthorities \nwhich validate through the\n[Adobe Approved Trust List](https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html)\n(AATL).\n\nThe resulting certificates can then be used with the modules for the\n[SetaPDF-Signer](https://www.setasign.com/signer) component:\n\n- Module for [Amazon AWS KMS](https://github.com/Setasign/SetaPDF-Signer-Addon-AWS-KMS)\n- Module for [Google Cloud KMS](https://github.com/Setasign/SetaPDF-Signer-Addon-Google-Cloud-KMS)\n\n## Installation\n\nAdd following to your composer.json:\n\n```json\n{\n    \"require\": {\n        \"setasign/cloud-kms-csr\": \"^1.0\"\n    },\n    \"repositories\": [\n        {\n            \"type\": \"composer\",\n            \"url\": \"https://www.setasign.com/downloads/\"\n        }\n    ]\n}\n```\n\nand execute `composer update`. You need to define the `repository` to evaluate the dependency to the\n[SetaPDF-Signer](https://www.setasign.com/signer) component\n(see [here](https://getcomposer.org/doc/faqs/why-can%27t-composer-load-repositories-recursively.md)\nfor more details).\n\nThe Setasign repository requires authentication data. Please check your personal [composer settings](https://www.setasign.com/my-setasign/composer-settings/) on our website for how to create authentication tokens. \n\nDepending on what KMS service you want to use make sure that you setup the\nauthentication for them:\n\n- [Credentials for the AWS SDK for PHP Version 3](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html)\n- [Google Cloud KMS Client Libraries](https://cloud.google.com/kms/docs/reference/libraries#setting_up_authentication)\n\nWe use authentication data from environment variables for demonstration purpose\nthroughout.\n\n## How it works\n\nWe implemented two classes representing a CSR and a X.509 certificate instance.\nThey need to be initialized by an existing CSR or certificate. For creation of \nnew CSRs or certificates there's a static `create()` method in both classes which\nuses standard OpenSSL functions to create the CSR and certificate.\n\nThen there's an `update()` method that accepts either an instance of\n`AwsKMS\\Updater` or `GoogleCloudKMS\\Updater` as its parameter.\n\nInternally all key information, algorithms and signature were updated with the use\nof the key stored in the KMS then. \n\nFor communication with the KMS services we use the official client libraries:\n\n- [AWS SDK for PHP Version 3](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/welcome.html)\n- [Google Cloud KMS for PHP](https://github.com/googleapis/google-cloud-php-kms)\n\n## Create a self-signed certificate\n\nBefore you start to request a real certificate from a certificate authority or you \nsimply want to test the KMS service, you can create a self-signed certificated the\nfollowing way:\n\n### Google Cloud KMS\n\nIn Google Cloud KMS all things like algorithm, hash and padding are configured in\nthe key itself. So it is straight forward to create a self-signed certificate:\n\n```php\n\u003c?php\n\nuse setasign\\CloudKmsCsr\\Certificate;\nuse setasign\\CloudKmsCsr\\GoogleCloudKMS;\n\nrequire_once 'vendor/autoload.php';\n\n$projectId = '\u003cYOUR-PROJECT-ID\u003e';\n$locationId = '\u003cYOUR-LOCATION-ID\u003e';\n$keyRingId = '\u003cYOUR-KEY-RING-ID\u003e';\n$keyId = '\u003cYOUR-KEY-ID\u003e';\n$versionId = '\u003cYOUR-KEY-VERSION-ID\u003e';\n\n// create an updater instance\n$updater = new GoogleCloudKMS\\Updater($projectId, $locationId, $keyRingId, $keyId, $versionId);\n\n// create a new Certificate\n$certificate = Certificate::create([\n    'commonName' =\u003e 'Test and Development',\n    'organizationName' =\u003e 'Setasign GmbH \u0026 Co. KG'\n]);\n// or\n//$certificate = new Certificate(file_get_contents('existing-x509-certificate.pem'));\n\n// update it by the key in the KMS\n$certificate-\u003eupdate($updater);\n\n// verify the certifcate\necho 'Verified: ' . ($certificate-\u003everify() ? 'YES' : 'NO');\necho \"\\n\\n\";\n\n// output PEM encoded certifcate\necho $certificate-\u003eget();\n```\n\n### AWS KMS\n\nNearly the same for AWS KMS. You only have to define the signature algorithm\nyourself. See [here](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html#key-spec-rsa-sign) and [here](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html#key-spec-ecc) for all available algorithms. Notice that these algorithms need to be supported by the used key.\n\n```php\n\u003c?php\n\nuse Aws\\Kms\\KmsClient;\nuse setasign\\CloudKmsCsr\\Certificate;\nuse setasign\\CloudKmsCsr\\AwsKMS;\n\nrequire_once 'vendor/autoload.php';\n\n$region = '\u003cREGION\u003e';\n$version = '\u003cVERSION\u003e';\n$keyId = '\u003cKEY-ID\u003e';\n$signatureAlgorithm = 'RSASSA_PKCS1_V1_5_SHA_512';\n\n$kmsClient = new KmsClient([\n    'region' =\u003e $region,\n    'version' =\u003e $version\n]);\n\n$updater = new AwsKms\\Updater($keyId, $kmsClient);\n$updater-\u003esetSignatureAlgorithm($signatureAlgorithm);\n\n$certificate = Certificate::create([\n    'commonName' =\u003e 'Test and Development',\n    'organizationName' =\u003e 'Setasign GmbH \u0026 Co. KG'\n]);\n// or\n//$certificate = new Certificate(file_get_contents('existing-x509-certificate.pem'));\n\n// update it by the key in the KMS\n$certificate-\u003eupdate($updater);\n\n// verify the certifcate\necho 'Verified: ' . ($certificate-\u003everify() ? 'YES' : 'NO');\necho \"\\n\\n\";\n\n// output PEM encoded certifcate\necho $certificate-\u003eget();\n```\n\n### Create a CSR\n\nVery simliar to the above examples but just use `Csr` instead of `Certifcate`.\n\n### Google Cloud KMS\n\n```php\n\u003c?php\n\nuse setasign\\CloudKmsCsr\\Csr;\nuse setasign\\CloudKmsCsr\\GoogleCloudKMS;\n\nrequire_once 'vendor/autoload.php';\n\n$projectId = '\u003cYOUR-PROJECT-ID\u003e';\n$locationId = '\u003cYOUR-LOCATION-ID\u003e';\n$keyRingId = '\u003cYOUR-KEY-RING-ID\u003e';\n$keyId = '\u003cYOUR-KEY-ID\u003e';\n$versionId = '\u003cYOUR-KEY-VERSION-ID\u003e';\n\n// create an updater instance\n$updater = new GoogleCloudKMS\\Updater($projectId, $locationId, $keyRingId, $keyId, $versionId);\n\n// create a new CSR\n$csr = Csr::create([\n    'countryName' =\u003e 'DE',\n    'stateOrProvinceName' =\u003e 'Niedersachen',\n    'localityName' =\u003e 'Helmstedt',\n    'organizationName' =\u003e 'Setasign GmbH \u0026 Co. KG',\n    'organizationalUnitName' =\u003e 'Testing and Development',\n    'commonName' =\u003e 'SetaPDF-Signer',\n    'emailAddress' =\u003e 'setapdf-demos@setasign.com'\n]);\n// or\n//$csr = new Csr(file_get_contents('existing-csr.pem'));\n\n// update it by the key in the KMS\n$csr-\u003eupdate($updater);\n\n// verify the CSR\necho 'Verified: ' . ($csr-\u003everify() ? 'YES' : 'NO');\necho \"\\n\\n\";\n\n// output PEM encoded CSR\necho $csr-\u003eget();\n```\n\n### AWS KMS\n\n```php\n\u003c?php\n\nuse Aws\\Kms\\KmsClient;\nuse setasign\\CloudKmsCsr\\Csr;\nuse setasign\\CloudKmsCsr\\AwsKMS;\n\nrequire_once 'vendor/autoload.php';\n\n$region = '\u003cREGION\u003e';\n$version = '\u003cVERSION\u003e';\n$keyId = '\u003cKEY-ID\u003e';\n$signatureAlgorithm = 'RSASSA_PKCS1_V1_5_SHA_512';\n\n$kmsClient = new KmsClient([\n    'region' =\u003e $region,\n    'version' =\u003e $version\n]);\n\n$updater = new AwsKms\\Updater($keyId, $kmsClient);\n$updater-\u003esetSignatureAlgorithm($signatureAlgorithm);\n\n$csr = Csr::create([\n    'countryName' =\u003e 'DE',\n    'stateOrProvinceName' =\u003e 'Niedersachen',\n    'localityName' =\u003e 'Helmstedt',\n    'organizationName' =\u003e 'Setasign GmbH \u0026 Co. KG',\n    'organizationalUnitName' =\u003e 'Testing and Development',\n    'commonName' =\u003e 'SetaPDF-Signer',\n    'emailAddress' =\u003e 'setapdf-demos@setasign.com'\n]);\n// update it by the key in the KMS\n$csr-\u003eupdate($updater);\n\n// verify the CSR\necho 'Verified: ' . ($csr-\u003everify() ? 'YES' : 'NO');\necho \"\\n\\n\";\n\n// output PEM encoded CSR\necho $csr-\u003eget();\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsetasign%2Fcloud-kms-csr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsetasign%2Fcloud-kms-csr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsetasign%2Fcloud-kms-csr/lists"}