path: root/examples/gen_ca_cert.rb

#!/usr/bin/env ruby

require 'openssl'

include OpenSSL

passwd_cb = Proc.new{|flag|
  print "Enter password: "
  pass = $stdin.gets.chop!

  # when the flag is true, this passphrase
  # will be used to perform encryption; otherwise it will
  # be used to perform decryption.
  if flag
    print "Verify password: "
    pass2 = $stdin.gets.chop!
    raise "verify failed." if pass != pass2
  end
  pass
}

$stdout.sync = true

print "Generating CA key: "
key = PKey::RSA.new(2048){ putc "." }
putc "\n"

cert = X509::Certificate.new
name = [['C','CZ'],['O','Ruby'],['CN','RubyCA']]
cert.subject = cert.issuer = X509::Name.new(name)
cert.not_before = Time.now
cert.not_after = Time.now + 2 * 365 * 24 * 60 * 60
cert.public_key = key
cert.serial = 0
cert.version = 2 # X509v3

key_usage = [ "cRLSign", "keyCertSign" ]
ext = []
ef = X509::ExtensionFactory.new
ef.subject_certificate = cert
ext << ef.create_extension("basicConstraints", "CA:TRUE", true)
ext << ef.create_extension("keyUsage", key_usage.join(","), true)
ext << ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
ext << ef.create_extension("subjectKeyIdentifier", "hash")
cert.extensions = ext
ef.issuer_certificate = cert # we needed subjectKeyInfo inside, now we have it
ext_auth_key_id =
  ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
cert.add_extension(ext_auth_key_id)
cert.sign(key, Digest::SHA1.new)

cert_file = "./#{cert.serial}cert.pem"
puts "Writing #{cert_file}."
File.open(cert_file, "w") do |f|
  f.write cert.to_pem
end

key_plain_file = "./#{cert.serial}key-plain.pem"
puts "Writing #{key_plain_file}."
File.open(key_plain_file, "w", 0400) do |f|
  f << key.to_pem
end

key_file = "./#{cert.serial}key.pem"
puts "Writing #{key_file}."
File.open(key_file, "w") do |f|
  f << key.export(Cipher::DES.new(:EDE3, :CBC), &passwd_cb)
end

puts "DONE. (Generated certificate for '#{cert.subject}')"