Backport #7551 » fix-etension-factory-docs.diff
ext/openssl/ossl.c | ||
---|---|---|
* cert.public_key = key.public_key
|
||
* cert.subject = name
|
||
*
|
||
* === Certificate Extensions
|
||
*
|
||
* You can add extensions to the certificate with
|
||
* OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate.
|
||
*
|
||
* extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
|
||
*
|
||
* extension_factory.create_extension 'basicConstraints', 'CA:FALSE'
|
||
* extension_factory.create_extension 'keyUsage',
|
||
* 'keyEncipherment,dataEncipherment,digitalSignature'
|
||
* extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
|
||
* cert.add_extension(extension_factory.create_extension
|
||
* 'basicConstraints', 'CA:FALSE')
|
||
* cert.add_extension(extension_factory.create_extension
|
||
* 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
|
||
* cert.add_extension(extension_factory.create_extension
|
||
* 'subjectKeyIdentifier', 'hash')
|
||
*
|
||
* The list of supported extensions (and in some cases their possible values)
|
||
* can be derived from the "objects.h" file in the OpenSSL source code.
|
||
*
|
||
* === Signing a Certificate
|
||
*
|
||
* To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign
|
||
* with a digest algorithm. This creates a self-signed cert because we're using
|
||
* the same name and key to sign the certificate as was used to create the
|
||
* certificate.
|
||
*
|
||
* cert.issuer = name
|
||
* cert.sign key, OpenSSL::Digest::SHA1.new
|
||
... | ... | |
* ca_cert.not_after = Time.now + 86400
|
||
*
|
||
* ca_cert.public_key = ca_key.public_key
|
||
* ca_cert.subject = ca_name
|
||
* ca_cert.issuer = ca_name
|
||
*
|
||
* extension_factory = OpenSSL::X509::ExtensionFactory.new
|
||
* extension_factory.subject_certificate = ca_cert
|
||
* extension_factory.issuer_certificate = ca_cert
|
||
*
|
||
* extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
|
||
* ca_cert.add_extension(extension_factory.create_extension
|
||
* 'subjectKeyIdentifier', 'hash')
|
||
*
|
||
* This extension indicates the CA's key may be used as a CA.
|
||
*
|
||
* extension_factory.create_extension 'basicConstraints', 'CA:TRUE', true
|
||
* ca_cert.add_extension(extension_factory.create_extension
|
||
* 'basicConstraints', 'CA:TRUE', true)
|
||
*
|
||
* This extension indicates the CA's key may be used to verify signatures on
|
||
* both certificates and certificate revocations.
|
||
*
|
||
* extension_factory.create_extension 'keyUsage', 'cRLSign,keyCertSign', true
|
||
* ca_cert.add_extension(extension_factory.create_extension
|
||
* 'keyUsage', 'cRLSign,keyCertSign', true)
|
||
*
|
||
* Root CA certificates are self-signed.
|
||
*
|
||
* ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
|
||
*
|
||
* The CA certificate is saved to disk so it may be distributed to all the
|
||
* users of the keys this CA will sign.
|
||
*
|
||
* open 'ca_cert.pem', 'w' do |io|
|
||
* io.write ca_cert.to_pem
|
||
... | ... | |
* csr_cert.not_after = Time.now + 600
|
||
*
|
||
* csr_cert.subject = csr.subject
|
||
* csr_cert.public_key = csr.public_key
|
||
* csr_cert.issuer = ca_cert.subject
|
||
*
|
||
* extension_factory = OpenSSL::X509::ExtensionFactory.new
|
||
* extension_factory.subject_certificate = csr_cert
|
||
* extension_factory.issuer_certificate = ca_cert
|
||
*
|
||
* extension_factory.create_extension 'basicConstraints', 'CA:FALSE'
|
||
* extension_factory.create_extension 'keyUsage',
|
||
* 'keyEncipherment,dataEncipherment,digitalSignature'
|
||
* extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
|
||
* csr_cert.add_extension(extension_factory.create_extension
|
||
* 'basicConstraints', 'CA:FALSE')
|
||
* csr_cert.add_extension(extension_factory.create_extension
|
||
* 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
|
||
* csr_cert.add_extension(extension_factory.create_extension
|
||
* 'subjectKeyIdentifier', 'hash')
|
||
*
|
||
* csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
|
||
*
|
||
* open 'csr_cert.pem', 'w' do |io|
|
||
* io.write csr_cert.to_pem
|
||
* end
|
||
*
|
||
* == SSL and TLS Connections
|
||
*
|
||
* Using our created key and certificate we can create an SSL or TLS connection.
|
- « Previous
- 1
- 2
- Next »