<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Sign a CSR with another certificate (or itself) and generate a certificate</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.openssl-csr-new.html">openssl_csr_new</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.openssl-decrypt.html">openssl_decrypt</a></div>
<div class="up"><a href="ref.openssl.html">OpenSSL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.openssl-csr-sign" class="refentry">
<div class="refnamediv">
<h1 class="refname">openssl_csr_sign</h1>
<p class="verinfo">(PHP 4 >= 4.2.0, PHP 5)</p><p class="refpurpose"><span class="refname">openssl_csr_sign</span> — <span class="dc-title">Sign a CSR with another certificate (or itself) and generate a certificate</span></p>
</div>
<div class="refsect1 description" id="refsect1-function.openssl-csr-sign-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="type">resource</span> <span class="methodname"><strong>openssl_csr_sign</strong></span>
( <span class="methodparam"><span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <code class="parameter">$csr</code></span>
, <span class="methodparam"><span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <code class="parameter">$cacert</code></span>
, <span class="methodparam"><span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <code class="parameter">$priv_key</code></span>
, <span class="methodparam"><span class="type">int</span> <code class="parameter">$days</code></span>
[, <span class="methodparam"><span class="type">array</span> <code class="parameter">$configargs</code></span>
[, <span class="methodparam"><span class="type">int</span> <code class="parameter">$serial</code><span class="initializer"> = 0</span></span>
]] )</div>
<p class="para rdfs-comment">
<span class="function"><strong>openssl_csr_sign()</strong></span> generates an x509 certificate
resource from the given CSR.
</p>
<blockquote class="note"><p><strong class="note">Note</strong>:
<span class="simpara">
You need to have a valid <var class="filename">openssl.cnf</var> installed for
this function to operate correctly.
See the notes under <a href="openssl.installation.html" class="link">the installation
section</a> for more information.
</span>
</p></blockquote>
</div>
<div class="refsect1 parameters" id="refsect1-function.openssl-csr-sign-parameters">
<h3 class="title">Parameters</h3>
<p class="para">
<dl>
<dt>
<span class="term"><em><code class="parameter">csr</code></em></span>
<dd>
<p class="para">
A CSR previously generated by <span class="function"><a href="function.openssl-csr-new.html" class="function">openssl_csr_new()</a></span>.
It can also be the path to a PEM encoded CSR when specified as
<var class="filename">file://path/to/csr</var> or an exported string generated
by <span class="function"><a href="function.openssl-csr-export.html" class="function">openssl_csr_export()</a></span>.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">cacert</code></em></span>
<dd>
<p class="para">
The generated certificate will be signed by <em><code class="parameter">cacert</code></em>.
If <em><code class="parameter">cacert</code></em> is <strong><code>NULL</code></strong>, the generated certificate
will be a self-signed certificate.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">priv_key</code></em></span>
<dd>
<p class="para">
<em><code class="parameter">priv_key</code></em> is the private key that corresponds to
<em><code class="parameter">cacert</code></em>.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">days</code></em></span>
<dd>
<p class="para">
<em><code class="parameter">days</code></em> specifies the length of time for which the
generated certificate will be valid, in days.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">configargs</code></em></span>
<dd>
<p class="para">
You can finetune the CSR signing by <em><code class="parameter">configargs</code></em>.
See <span class="function"><a href="function.openssl-csr-new.html" class="function">openssl_csr_new()</a></span> for more information about
<em><code class="parameter">configargs</code></em>.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">serial</code></em></span>
<dd>
<p class="para">
An optional the serial number of issued certificate. If not specified
it will default to 0.
</p>
</dd>
</dt>
</dl>
</p>
</div>
<div class="refsect1 returnvalues" id="refsect1-function.openssl-csr-sign-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
Returns an x509 certificate resource on success, <strong><code>FALSE</code></strong> on failure.
</p>
</div>
<div class="refsect1 changelog" id="refsect1-function.openssl-csr-sign-changelog">
<h3 class="title">Changelog</h3>
<p class="para">
<table class="doctable informaltable">
<thead>
<tr>
<th>Version</th>
<th>Description</th>
</tr>
</thead>
<tbody class="tbody">
<tr>
<td>4.3.3</td>
<td>
The <em><code class="parameter">serial</code></em> parameter was added.
</td>
</tr>
</tbody>
</table>
</p>
</div>
<div class="refsect1 examples" id="refsect1-function.openssl-csr-sign-examples">
<h3 class="title">Examples</h3>
<p class="para">
<div class="example" id="example-860">
<p><strong>Example #1 <span class="function"><strong>openssl_csr_sign()</strong></span> example - signing a
CSR (how to implement your own CA)</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// Let's assume that this script is set to receive a CSR that has<br />// been pasted into a textarea from another page<br /></span><span style="color: #0000BB">$csrdata </span><span style="color: #007700">= </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">"CSR"</span><span style="color: #007700">];<br /><br /></span><span style="color: #FF8000">// We will sign the request using our own "certificate authority"<br />// certificate. You can use any certificate to sign another, but<br />// the process is worthless unless the signing certificate is trusted<br />// by the software/users that will deal with the newly signed certificate<br /><br />// We need our CA cert and its private key<br /></span><span style="color: #0000BB">$cacert </span><span style="color: #007700">= </span><span style="color: #DD0000">"file://path/to/ca.crt"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$privkey </span><span style="color: #007700">= array(</span><span style="color: #DD0000">"file://path/to/ca.key"</span><span style="color: #007700">, </span><span style="color: #DD0000">"your_ca_key_passphrase"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$usercert </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_csr_sign</span><span style="color: #007700">(</span><span style="color: #0000BB">$csrdata</span><span style="color: #007700">, </span><span style="color: #0000BB">$cacert</span><span style="color: #007700">, </span><span style="color: #0000BB">$privkey</span><span style="color: #007700">, </span><span style="color: #0000BB">365</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Now display the generated certificate so that the user can<br />// copy and paste it into their local configuration (such as a file<br />// to hold the certificate for their SSL server)<br /></span><span style="color: #0000BB">openssl_x509_export</span><span style="color: #007700">(</span><span style="color: #0000BB">$usercert</span><span style="color: #007700">, </span><span style="color: #0000BB">$certout</span><span style="color: #007700">);<br />echo </span><span style="color: #0000BB">$certout</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Show any errors that occurred here<br /></span><span style="color: #007700">while ((</span><span style="color: #0000BB">$e </span><span style="color: #007700">= </span><span style="color: #0000BB">openssl_error_string</span><span style="color: #007700">()) !== </span><span style="color: #0000BB">false</span><span style="color: #007700">) {<br /> echo </span><span style="color: #0000BB">$e </span><span style="color: #007700">. </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br />}<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.openssl-csr-new.html">openssl_csr_new</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.openssl-decrypt.html">openssl_decrypt</a></div>
<div class="up"><a href="ref.openssl.html">OpenSSL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
