-
Notifications
You must be signed in to change notification settings - Fork 102
/
openssl-csr-sign.xml
201 lines (190 loc) · 7.16 KB
/
openssl-csr-sign.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<!-- EN-Revision: 5bc68add3da3cd18c40f851e944b15095d3a26aa Maintainer: duanxiaoqiang Status: ready -->
<!-- CREDITS: mowangjuanzi, Luffy -->
<refentry xml:id="function.openssl-csr-sign" xmlns="http://docbook.org/ns/docbook">
<refnamediv>
<refname>openssl_csr_sign</refname>
<refpurpose>用另一个证书签署 <acronym>CSR</acronym>(或者本身)并且生成一个证书</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type class="union"><type>OpenSSLCertificate</type><type>false</type></type><methodname>openssl_csr_sign</methodname>
<methodparam><type class="union"><type>OpenSSLCertificateSigningRequest</type><type>string</type></type><parameter>csr</parameter></methodparam>
<methodparam><type class="union"><type>OpenSSLCertificate</type><type>string</type><type>null</type></type><parameter>ca_certificate</parameter></methodparam>
<methodparam><modifier role="attribute">#[\SensitiveParameter]</modifier><type class="union"><type>OpenSSLAsymmetricKey</type><type>OpenSSLCertificate</type><type>array</type><type>string</type></type><parameter>private_key</parameter></methodparam>
<methodparam><type>int</type><parameter>days</parameter></methodparam>
<methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>options</parameter><initializer>&null;</initializer></methodparam>
<methodparam choice="opt"><type>int</type><parameter>serial</parameter><initializer>0</initializer></methodparam>
<methodparam choice="opt"><type class="union"><type>string</type><type>null</type></type><parameter>serial_hex</parameter><initializer>&null;</initializer></methodparam>
</methodsynopsis>
<para>
<function>openssl_csr_sign</function> 从给定的 <acronym>CSR</acronym> 生成 x509 证书。
</para>
¬e.openssl.cnf;
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<para>
<variablelist>
<varlistentry>
<term><parameter>csr</parameter></term>
<listitem>
<para>
由 <function>openssl_csr_new</function> 函数生成的 <acronym>CSR</acronym>。
也可以是由类似<filename>file://path/to/csr</filename>格式指定的指向 <acronym>PEM</acronym> 编码的 <acronym>CSR</acronym> 路径,或者是一个由<function>openssl_csr_export</function>函数生成的字符串。
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>ca_certificate</parameter></term>
<listitem>
<para>
生成的证书将由<parameter>ca_certificate</parameter>签名。
如果<parameter>ca_certificate</parameter> 为 &null;, 生成的证书将是自签名证书。
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>private_key</parameter></term>
<listitem>
<para>
<parameter>private_key</parameter> 是 <parameter>ca_certificate</parameter> 证书对应的私钥。
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>days</parameter></term>
<listitem>
<para>
<parameter>days</parameter> 指定生成的证书在几天内有效的时间长度。
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>options</parameter></term>
<listitem>
<para>
可以通过 <parameter>options</parameter> 确定 <acronym>CSR</acronym> 签名。
查看 <function>openssl_csr_new</function> 方法获取
<parameter>options</parameter> 的更多相关信息。
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>serial</parameter></term>
<listitem>
<para>
可选的发行证书编号。如果没有指定默认值为0.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
成功时返回 <classname>OpenSSLCertificate</classname>,失败则返回 &false;。
</para>
</refsect1>
<refsect1 role="changelog">
&reftitle.changelog;
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>8.0.0</entry>
<entry>
成功时,此函数现在返回 <classname>OpenSSLCertificate</classname>
实例;之前返回类型 <literal>OpenSSL X.509</literal> 的 &resource;。
</entry>
</row>
<row>
<entry>8.0.0</entry>
<entry>
<parameter>csr</parameter> 现在接受 <classname>OpenSSLCertificateSigningRequest</classname>
实例;之前接受类型 <literal>OpenSSL X.509 CSR</literal> 的 &resource;。
</entry>
</row>
<row>
<entry>8.0.0</entry>
<entry>
<parameter>ca_certificate</parameter> 现在接受 <classname>OpenSSLCertificate</classname>
实例;之前接受类型 <literal>OpenSSL X.509</literal> 的 &resource;。
</entry>
</row>
<row>
<entry>8.0.0</entry>
<entry>
<parameter>private_key</parameter> 现在接受 <classname>OpenSSLAsymmetricKey</classname>
或 <classname>OpenSSLCertificate</classname> 实例;之前接受类型 <literal>OpenSSL key</literal> 或
<literal>OpenSSL X.509</literal> 的 &resource;。
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</refsect1>
<refsect1 role="examples">
&reftitle.examples;
<para>
<example>
<title><function>openssl_csr_sign</function> 示例——签署 <acronym>CSR</acronym>(如何实现自己的 CA)</title>
<programlisting role="php">
<![CDATA[
<?php
// Let's assume that this script is set to receive a CSR that has
// been pasted into a textarea from another page
$csrdata = $_POST["CSR"];
// We will sign the request using our own "certificate authority"
// certificate. You can use any certificate to sign another, but
// the process is worthless unless the signing certificate is trusted
// by the software/users that will deal with the newly signed certificate
// We need our CA cert and its private key
$cacert = "file://path/to/ca.crt";
$privkey = array("file://path/to/ca.key", "your_ca_key_passphrase");
$usercert = openssl_csr_sign($csrdata, $cacert, $privkey, 365, array('digest_alg'=>'sha256') );
// Now display the generated certificate so that the user can
// copy and paste it into their local configuration (such as a file
// to hold the certificate for their SSL server)
openssl_x509_export($usercert, $certout);
echo $certout;
// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
echo $e . "\n";
}
?>
]]>
</programlisting>
</example>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->