gnutls_x509_crt_sign2 — API function


#include <gnutls/x509.h>

int gnutls_x509_crt_sign2(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, gnutls_x509_privkey_t issuer_key, gnutls_digest_algorithm_t dig, unsigned int flags);


gnutls_x509_crt_t crt

a certificate of type gnutls_x509_crt_t

gnutls_x509_crt_t issuer

is the certificate of the certificate issuer

gnutls_x509_privkey_t issuer_key

holds the issuer's private key

gnutls_digest_algorithm_t dig

The message digest to use, GNUTLS_DIG_SHA256 is a safe choice

unsigned int flags

must be 0


This function will sign the certificate with the issuer's private key, and will copy the issuer's information into the certificate.

This must be the last step in a certificate generation since all the previously set parameters are now signed.

A known limitation of this function is, that a newly-signed certificate will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

After GnuTLS 3.6.1 the value of  dig may be GNUTLS_DIG_UNKNOWN, and in that case, a suitable but reasonable for the key algorithm will be selected.


On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Reporting Bugs

Report bugs to <>.
Home page:

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit


3.6.9 gnutls