<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.9 $ -->
<!-- splitted from ./en/functions/openssl.xml, last change in rev 1.19 -->
<refentry id="function.openssl-csr-sign">
<refnamediv>
<refname>openssl_csr_sign</refname>
<refpurpose>Sign a CSR with another certificate (or itself) and generate a certificate</refpurpose>
</refnamediv>
<refsect1>
<title>Description</title>
<methodsynopsis>
<type>resource</type><methodname>openssl_csr_sign</methodname>
<methodparam><type>mixed</type><parameter>csr</parameter></methodparam>
<methodparam><type>mixed</type><parameter>cacert</parameter></methodparam>
<methodparam><type>mixed</type><parameter>priv_key</parameter></methodparam>
<methodparam><type>int</type><parameter>days</parameter></methodparam>
<methodparam choice="opt"><type>array</type><parameter>configargs</parameter></methodparam>
<methodparam choice="opt"><type>int</type><parameter>serial</parameter></methodparam>
</methodsynopsis>
<para>
<function>openssl_csr_sign</function> generates an x509 certificate
resource from the <parameter>csr</parameter> previously generated by
<function>openssl_csr_new</function>, but it can also be the path to
a PEM encoded CSR when specified as
<filename>file://path/to/csr</filename> or an exported string generated
by <function>openssl_csr_export</function>.
The generated certificate will be signed by
<parameter>cacert</parameter>. If <parameter>cacert</parameter> is &null;,
the generated certificate will be a self-signed certificate.
<parameter>priv_key</parameter> is the private key that corresponds to
<parameter>cacert</parameter>.
<parameter>days</parameter> specifies the length of time for which the
generated certificate will be valid, in days.
You can finetune the CSR signing by <parameter>configargs</parameter>.
See <function>openssl_csr_new</function> for more information about
<parameter>configargs</parameter>.
Since PHP 4.3.3 you can specify the serial number of issued certificate by
<parameter>serial</parameter>. In earlier versions, it was always 0.
</para>
<para>
Returns an x509 certificate resource on success, &false; on failure.
</para>
&reference.openssl.note-openssl-cnf;
<para>
<example>
<title><function>openssl_csr_sign</function> example - signing a
CSR (how to implement your own CA)</title>
<programlisting role="php">
<![CDATA[
<?php
// Let's assume that this script is set to receive a CSR that has
// been pasted into a textarea from another page
$csrdata = $_POST["CSR"];
// We will sign the request using our own "certificate authority"
// certificate. You can use any certificate to sign another, but
// the process is worthless unless the signing certificate is trusted
// by the software/users that will deal with the newly signed certificate
// We need our CA cert and it's private key
$cacert = "file://path/to/ca.crt";
$privkey = array("file://path/to/ca.key", "your_ca_key_passphrase");
$userscert = openssl_csr_sign($csrdata, $cacert, $privkey, 365);
// Now display the generated certificate so that the user can
// copy and paste it into their local configuration (such as a file
// to hold the certificate for their SSL server)
openssl_x509_export($usercert, $certout);
echo $certout;
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
?>
]]>
</programlisting>
</example>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->