diff options
author | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-10 17:23:21 +0000 |
---|---|---|
committer | NAKAMURA Hiroshi <nahi@keynauts.com> | 2003-07-10 17:23:21 +0000 |
commit | f47dc3c5ead3661355e5fbe9b67011168476a60c (patch) | |
tree | 684a516d4cade2dcc7532a5050fc3488da021ce8 | |
parent | a4dab7032e66d6699b53c554c9242dee4173a8ba (diff) | |
download | ruby-openssl-history-f47dc3c5ead3661355e5fbe9b67011168476a60c.tar.gz |
* examples/ca/init_sub_ca.rb: Add a command line option for CN.
* examples/ca/gen_crl.rb: CRL issuer was wrong! Oops.
* examples/ca/gen_cert.rb: Changed keyUsage bits of each cert type.
-rw-r--r-- | ChangeLog | 5 | ||||
-rwxr-xr-x | examples/ca/gen_cert.rb | 17 | ||||
-rwxr-xr-x | examples/ca/gen_crl.rb | 2 | ||||
-rwxr-xr-x | examples/ca/init_sub_ca.rb | 4 |
4 files changed, 14 insertions, 14 deletions
@@ -1,3 +1,8 @@ +Thu, 11 Jul 2003 02:23:04 +0900 -- NAKAMURA, Hiroshi <nahi@ruby-lang.org> + * examples/ca/init_sub_ca.rb: Add a command line option for CN. + * examples/ca/gen_crl.rb: CRL issuer was wrong! Oops. + * examples/ca/gen_cert.rb: Changed keyUsage bits of each cert type. + Thu, 10 Jul 2003 12:32:56 +0200 -- Michal Rokos <m.rokos@sh.cvut.cz> * ossl.c: Prototype for sk2ary * ocsp.c: Typo in ossl_ocspbres_add_status (sk_X509_pop_free -> sk_X509_EXTENSION_pop_free) diff --git a/examples/ca/gen_cert.rb b/examples/ca/gen_cert.rb index e496f90..3d32c41 100755 --- a/examples/ca/gen_cert.rb +++ b/examples/ca/gen_cert.rb @@ -13,7 +13,7 @@ def usage exit end -getopts nil, 'type:client', 'out:', 'force', 'noakid' +getopts nil, 'type:client', 'out:', 'force' cert_type = $OPT_type out_file = $OPT_out || 'cert.pem' @@ -79,13 +79,11 @@ when "terminalsubca" key_usage << "cRLSign" << "keyCertSign" when "server" basic_constraint = "CA:FALSE" - key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment" - key_usage << "dataEncipherment" + key_usage << "digitalSignature" << "keyEncipherment" ext_key_usage << "serverAuth" when "ocsp" basic_constraint = "CA:FALSE" - key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment" - key_usage << "dataEncipherment" + key_usage << "nonRepudiation" << "digitalSignature" ext_key_usage << "serverAuth" << "OCSPSigning" when "client" basic_constraint = "CA:FALSE" @@ -104,13 +102,8 @@ ex << ef.create_extension("nsComment","Ruby/OpenSSL Generated Certificate") ex << ef.create_extension("subjectKeyIdentifier", "hash") #ex << ef.create_extension("nsCertType", "client,email") ex << ef.create_extension("keyUsage", key_usage.join(",")) unless key_usage.empty? -if $OPT_noakid - # For cross certification, with OpenSSL, akid seems to block to find a - # cross-cert path. RFC2510 defines this field as a 'MUST' field so use this - # option carefully. -else - ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") -end +#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") +#ex << ef.create_extension("authorityKeyIdentifier", "keyid:always") ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) unless ext_key_usage.empty? ex << ef.create_extension("crlDistributionPoints", CAConfig::CDP_LOCATION) if CAConfig::CDP_LOCATION diff --git a/examples/ca/gen_crl.rb b/examples/ca/gen_crl.rb index 04b1e1a..1e41ded 100755 --- a/examples/ca/gen_crl.rb +++ b/examples/ca/gen_crl.rb @@ -35,7 +35,7 @@ crl = if FileTest.exist?(CAConfig::CRL_FILE) X509::CRL.new end -crl.issuer = ca.issuer +crl.issuer = ca.subject crl.last_update = Time.now crl.next_update = Time.now + CAConfig::CRL_DAYS * 24 * 60 * 60 diff --git a/examples/ca/init_sub_ca.rb b/examples/ca/init_sub_ca.rb index 6cb27d3..db6137a 100755 --- a/examples/ca/init_sub_ca.rb +++ b/examples/ca/init_sub_ca.rb @@ -8,6 +8,8 @@ include OpenSSL $stdout.sync = true +cn = ARGV.shift || 'SubCA' + getopts nil, "csrout:" csrout = $OPT_csrout || "csr.pem" @@ -36,7 +38,7 @@ File.open(keypair_file, "w", 0400) do |f| f << keypair.export(Cipher::DES.new(:EDE3, :CBC), &CAConfig::PASSWD_CB) end -name = CAConfig::NAME.dup << ['CN','Sub CA'] +name = CAConfig::NAME.dup << ['CN', cn] puts "Generating CSR for #{name.inspect}" |