<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.openssl-csr-sign">
 <refnamediv>
  <refname>openssl_csr_sign</refname>
  <refpurpose>Sign a CSR with another certificate (or itself) and generate a certificate</refpurpose>
 </refnamediv>
 
 <refsect1 role="description">
  &reftitle.description;
  <methodsynopsis>
   <type>resource</type><methodname>openssl_csr_sign</methodname>
   <methodparam><type>mixed</type><parameter>csr</parameter></methodparam>
   <methodparam><type>mixed</type><parameter>cacert</parameter></methodparam>
   <methodparam><type>mixed</type><parameter>priv_key</parameter></methodparam>
   <methodparam><type>int</type><parameter>days</parameter></methodparam>
   <methodparam choice="opt"><type>array</type><parameter>configargs</parameter></methodparam>
   <methodparam choice="opt"><type>int</type><parameter>serial</parameter><initializer>0</initializer></methodparam>
  </methodsynopsis>
  <para>
   <function>openssl_csr_sign</function> generates an x509 certificate
   resource from the given CSR.
  </para>
  &note.openssl.cnf;
 </refsect1>

 <refsect1 role="parameters">
  &reftitle.parameters;
  <para>
   <variablelist>
    <varlistentry>
     <term><parameter>csr</parameter></term>
     <listitem>
      <para>
       A CSR previously generated by <function>openssl_csr_new</function>.
       It can also be the path to a PEM encoded CSR when specified as
       <filename>file://path/to/csr</filename> or an exported string generated
       by <function>openssl_csr_export</function>.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>cacert</parameter></term>
     <listitem>
      <para>
       The generated certificate will be signed by <parameter>cacert</parameter>.
       If <parameter>cacert</parameter> is &null;, the generated certificate
       will be a self-signed certificate.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>priv_key</parameter></term>
     <listitem>
      <para>
       <parameter>priv_key</parameter> is the private key that corresponds to
       <parameter>cacert</parameter>.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>days</parameter></term>
     <listitem>
      <para>
       <parameter>days</parameter> specifies the length of time for which the
       generated certificate will be valid, in days.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>configargs</parameter></term>
     <listitem>
      <para>
       You can finetune the CSR signing by <parameter>configargs</parameter>.
       See <function>openssl_csr_new</function> for more information about
       <parameter>configargs</parameter>.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>serial</parameter></term>
     <listitem>
      <para>
       An optional the serial number of issued certificate. If not specified
       it will default to 0.
      </para>
     </listitem>
    </varlistentry>
   </variablelist>
  </para>
 </refsect1>

 <refsect1 role="returnvalues">
  &reftitle.returnvalues;
  <para>
   Returns an x509 certificate resource on success, &false; on failure.
  </para>
 </refsect1>

 <refsect1 role="examples">
  &reftitle.examples;
  <para>
   <example>
    <title><function>openssl_csr_sign</function> example - signing a
     CSR (how to implement your own CA)</title>
    <programlisting role="php">
<![CDATA[
<?php
// Let's assume that this script is set to receive a CSR that has
// been pasted into a textarea from another page
$csrdata = $_POST["CSR"];

// We will sign the request using our own "certificate authority"
// certificate.  You can use any certificate to sign another, but
// the process is worthless unless the signing certificate is trusted
// by the software/users that will deal with the newly signed certificate

// We need our CA cert and its private key
$cacert = "file://path/to/ca.crt";
$privkey = array("file://path/to/ca.key", "your_ca_key_passphrase");

$usercert = openssl_csr_sign($csrdata, $cacert, $privkey, 365, array('digest_alg'=>'sha256') );

// Now display the generated certificate so that the user can
// copy and paste it into their local configuration (such as a file
// to hold the certificate for their SSL server)
openssl_x509_export($usercert, $certout);
echo $certout;

// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
    echo $e . "\n";
}
?>
]]>
    </programlisting>
   </example>
  </para>
 </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->