xref: /freebsd/crypto/openssl/doc/man3/X509_sign.pod (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1=pod
2
3=head1 NAME
4
5X509_sign, X509_sign_ctx,
6X509_REQ_sign, X509_REQ_sign_ctx,
7X509_CRL_sign, X509_CRL_sign_ctx -
8sign certificate, certificate request, or CRL signature
9
10=head1 SYNOPSIS
11
12 #include <openssl/x509.h>
13
14 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
15 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
16
17 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
18 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
19
20 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
21 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
22
23=head1 DESCRIPTION
24
25X509_sign() signs certificate I<x> using private key I<pkey> and message
26digest I<md> and sets the signature in I<x>. X509_sign_ctx() also signs
27certificate I<x> but uses the parameters contained in digest context I<ctx>.
28
29X509_REQ_sign(), X509_REQ_sign_ctx(),
30X509_CRL_sign(), and X509_CRL_sign_ctx()
31sign certificate requests and CRLs, respectively.
32
33=head1 NOTES
34
35X509_sign_ctx() is used where the default parameters for the corresponding
36public key and digest are not suitable. It can be used to sign keys using
37RSA-PSS for example.
38
39For efficiency reasons and to work around ASN.1 encoding issues the encoding
40of the signed portion of a certificate, certificate request and CRL is cached
41internally. If the signed portion of the structure is modified the encoding
42is not always updated meaning a stale version is sometimes used. This is not
43normally a problem because modifying the signed portion will invalidate the
44signature and signing will always update the encoding.
45
46=head1 RETURN VALUES
47
48All functions return the size of the signature
49in bytes for success and zero for failure.
50
51=head1 SEE ALSO
52
53L<ERR_get_error(3)>,
54L<X509_NAME_add_entry_by_txt(3)>,
55L<X509_new(3)>,
56L<X509_verify_cert(3)>,
57L<X509_verify(3)>,
58L<X509_REQ_verify_ex(3)>, L<X509_REQ_verify(3)>,
59L<X509_CRL_verify(3)>
60
61=head1 HISTORY
62
63The X509_sign(), X509_REQ_sign() and X509_CRL_sign() functions are
64available in all versions of OpenSSL.
65
66The X509_sign_ctx(), X509_REQ_sign_ctx()
67and X509_CRL_sign_ctx() functions were added in OpenSSL 1.0.1.
68
69=head1 COPYRIGHT
70
71Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
72
73Licensed under the Apache License 2.0 (the "License").  You may not use
74this file except in compliance with the License.  You can obtain a copy
75in the file LICENSE in the source distribution or at
76L<https://www.openssl.org/source/license.html>.
77
78=cut
79