Ruby Generate Self-Signed Certificate

Question

Ruby Generate Self-Signed Certificate

I am trying to create a self-signed certificate in ruby, but I have problems. Here is what I mean right now:

require 'openssl' if ARGV.length != 3 then puts "USAGE: #{__FILE__} <type[der|pem]> <private-out> <public-out>" exit end type = ARGV[0].downcase privateKeyFile = ARGV[1] publicKeyFile = ARGV[2] values = [{ 'C' => 'US'}, {'ST' => 'SomeState'}, { 'L' => 'SomeCity'}, { 'O' => 'Organization'}, {'OU' => 'Organizational Unit'}, {'CN' => "somesite.com"}] name = values.collect{ |l| l.collect { |k, v| "/#{k}=#{v}" }.join }.join key = OpenSSL::PKey::RSA.generate(1024) pub = key.public_key ca = OpenSSL::X509::Name.parse(name) cert = OpenSSL::X509::Certificate.new cert.version = 2 cert.serial = 1 cert.subject = ca cert.issuer = ca cert.public_key = pub cert.not_before = Time.now cert.not_before = Time.now + (360 * 24 * 3600) File.open(privateKeyFile + "." + type, "w") {|f| f.write key.send("to_#{type}") } File.open(publicKeyFile + "." + type, "w") {|f| f.write cert.send("to_#{type}") }

When I try to use the generated private key and certificate in apache, I get this error:

 [Thu Mar 04 10:58:44 2010] [error] Init: Unable to read server certificate from file /etc/ssl/certs/gnarly.pem [Thu Mar 04 10:58:44 2010] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Thu Mar 04 10:58:44 2010] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Here is what my certificate says:

 -----BEGIN CERTIFICATE----- <lots of stuff> -----END CERTIFICATE-----

He calls himself a certificate instead of CSR, and this is what most of the things I found on the Internet say about this apache2 error (which I may have confused CSR and CERT). I assume that I am not creating the correct type of certificate. Maybe I need to change the attributes of the serial number or version. In addition, I do not do self-signing anywhere, not what I know. I know you can do something like this:

 require "openssl" key = OpenSSL::PKey::RSA.generate(1024) signature = key.sign(OpenSSL::Digest::SHA1.new, "data to sign")

Reminder: My goal is to create a self-signed certificate in case my long question loses focus on the way.

EDIT: I think the real question is how to sign a certificate with a key

+7

ruby openssl ssl-certificate x509certificate

Markus orrelly Mar 04 '10 at 17:31

source share

3 answers

I created a helper class for this from the code that I took directly from the nickyp gist that I found in a google search. The only dependency you need is the openssl stone ( gem install openssl )

 require 'openssl' class SelfSignedCertificate def initialize @key = OpenSSL::PKey::RSA.new(1024) public_key = @key.public_key subject = "/C=BE/O=Test/OU=Test/CN=Test" @cert = OpenSSL::X509::Certificate.new @cert.subject = @cert.issuer = OpenSSL::X509::Name.parse(subject) @cert.not_before = Time.now @cert.not_after = Time.now + 365 * 24 * 60 * 60 @cert.public_key = public_key @cert.serial = 0x0 @cert.version = 2 ef = OpenSSL::X509::ExtensionFactory.new ef.subject_certificate = @cert ef.issuer_certificate = @cert @cert.extensions = [ ef.create_extension("basicConstraints","CA:TRUE", true), ef.create_extension("subjectKeyIdentifier", "hash"), # ef.create_extension("keyUsage", "cRLSign,keyCertSign", true), ] @cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") @cert.sign @key, OpenSSL::Digest::SHA1.new end def self_signed_pem @cert.to_pem end def private_key @key end end

Application:

 my_cert = SelfSignedCertificate.new puts "Private Key:\n#{my_cert.private_key}" puts "Self-signed PEM:\n#{my_cert.self_signed_pem}"

Output:

 Private Key: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDTtjPd3X9KX9BZpXKS82tM74Bs/hXsSLgnkitrc+oR4oF5PVko NZL3j51gkX3jJRSG9tNPQC5NVR+5h7tXPxU5TAQZl6MUiV+YWuRng98GeCjP3ePp meSStsKEMUiZI8YLVWrdbIjS+Q+lZnYMffeEOAoMSaei9hR4rOX0i+9hdwIDAQAB AoGBALdAc/6sFd0zuC2Qhu7p4kvS11AAUsuWWkhuPkUhLU9TxwxBbOXgEZlVZzzK UrQFSZJVHazweeOYNgCqmx82zE+cB4YzRLqkCPUD9t1bZcgk31tV39MSrC9CDKCB inUTMKflPbHL0B+Lq24S8KfuW9bOPofhspjlV7cZCX5adFiBAkEA7KOMkiQMyq9X ZVeRzJU0LmVdjrb7UBD5NebV+KaN8O7q+W4FG0nihcNj7xt2fZnvKM4FMfRwDP3G HRUfR0alQQJBAOUIjKXYyoUsk+tLASoYLX+uPocjd7YSB9UPK2lFxqHOzekAlynF u1JWEDPOjZNtNHmsQKOp5AWTUnm33JxfQLcCQByY5zQCB0m3RuiIXKZMobG5rkTA +D4EzxkkfFdASYcEWIEsOpHBrA5ePoV23Crxn2VfAGG5GJF5WafKFa2XbAECQFL/ 5Ch+BfZ5DynnxoZAuMxakuJaYhmjMx9tHehKlw8waMKVqjJDK/1MnxaHNhtFKg0l 9U7aVH4Iw4zEqrgodMUCQQCWZEUepSGoRVs1YDtag4FKSTMGXcnI/jllJmxHQhf4 uiy/8Hb+FW49w3KO1zeq7WdXw7W7Q1uO94npYX5p535d -----END RSA PRIVATE KEY----- Signed PEM: -----BEGIN CERTIFICATE----- MIICgjCCAeugAwIBAgIBADANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJCRTEN MAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDENMAsGA1UEAwwEVGVzdDAeFw0x NDA4MjEwMTI1MTZaFw0xNTA4MjEwMTI1MTZaMDoxCzAJBgNVBAYTAkJFMQ0wCwYD VQQKDARUZXN0MQ0wCwYDVQQLDARUZXN0MQ0wCwYDVQQDDARUZXN0MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDTtjPd3X9KX9BZpXKS82tM74Bs/hXsSLgnkitr c+oR4oF5PVkoNZL3j51gkX3jJRSG9tNPQC5NVR+5h7tXPxU5TAQZl6MUiV+YWuRn g98GeCjP3ePpmeSStsKEMUiZI8YLVWrdbIjS+Q+lZnYMffeEOAoMSaei9hR4rOX0 i+9hdwIDAQABo4GXMIGUMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNNbdqck QT/B5hdQqimtW1Wnf+fmMGIGA1UdIwRbMFmAFNNbdqckQT/B5hdQqimtW1Wnf+fm oT6kPDA6MQswCQYDVQQGEwJCRTENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVz dDENMAsGA1UEAwwEVGVzdIIBADANBgkqhkiG9w0BAQUFAAOBgQB80KzzhkXCgJ0s 1zXJXuocNDU5v0Z42ditNX9jS8pXuhHwcQbx7PVfOieO3GHC5YzzgMHGR3i2U2CQ rz9hP937ERxCfqpxhfMAD3Q+3rHsdGdNIauzzFb6XoXsM7koRnM27I6qvO3bamcz AVGH5eLic9IjZTQbZizFzNoR+H2N/g== -----END CERTIFICATE-----

+4

depthfirstdesigner Aug 21 '14 at 1:31

source share

webrick/ssl has a create_self_signed_cert method that is easy to understand and use.

+1

Tsing May 03 '10 at 7:18

source share

Markus orrelly · Accepted Answer · 2010-03-05T19:39:19+0000

Since then, I have found some good sources for examples using OpenSSL:

http://snippets.dzone.com/posts/show/6309

http://projects.reductivelabs.com/projects/puppet/repository/revisions/master/entry/lib/puppet/sslcertificates.rb

http://projects.reductivelabs.com/projects/puppet/repository/revisions/master/entry/lib/puppet/sslcertificates/ca.rb

http://projects.reductivelabs.com/projects/puppet/repository/revisions/master/entry/lib/puppet/sslcertificates/certificate.rb

I still have not found good documentation for this, although I do not think it will take too much time to write that down in the examples.

I also figured out how to do what I wanted from the puppet source code. Hope this helps someone who is disappointed in the lack of OpenSSL documentation in ruby.

Ruby Generate Self-Signed Certificate

More articles: