Project

General

Profile

Download (4.24 KB)

Backport #7551 » fix-etension-factory-docs.diff

Patch v2 (fix some missing brackets) - richard.bradley (Richard Bradley), 12/13/2012 01:06 AM

View differences:

ext/openssl/ossl.c
* cert.public_key = key.public_key
* cert.subject = name
*
* === Certificate Extensions
*
* You can add extensions to the certificate with
* OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate.
*
* extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
*
* extension_factory.create_extension 'basicConstraints', 'CA:FALSE'
* extension_factory.create_extension 'keyUsage',
* 'keyEncipherment,dataEncipherment,digitalSignature'
* extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
* cert.add_extension(extension_factory.create_extension
* 'basicConstraints', 'CA:FALSE')
* cert.add_extension(extension_factory.create_extension
* 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
* cert.add_extension(extension_factory.create_extension
* 'subjectKeyIdentifier', 'hash')
*
* The list of supported extensions (and in some cases their possible values)
* can be derived from the "objects.h" file in the OpenSSL source code.
*
* === Signing a Certificate
*
* To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign
* with a digest algorithm. This creates a self-signed cert because we're using
* the same name and key to sign the certificate as was used to create the
* certificate.
*
* cert.issuer = name
* cert.sign key, OpenSSL::Digest::SHA1.new
......
* ca_cert.not_after = Time.now + 86400
*
* ca_cert.public_key = ca_key.public_key
* ca_cert.subject = ca_name
* ca_cert.issuer = ca_name
*
* extension_factory = OpenSSL::X509::ExtensionFactory.new
* extension_factory.subject_certificate = ca_cert
* extension_factory.issuer_certificate = ca_cert
*
* extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
* ca_cert.add_extension(extension_factory.create_extension
* 'subjectKeyIdentifier', 'hash')
*
* This extension indicates the CA's key may be used as a CA.
*
* extension_factory.create_extension 'basicConstraints', 'CA:TRUE', true
* ca_cert.add_extension(extension_factory.create_extension
* 'basicConstraints', 'CA:TRUE', true)
*
* This extension indicates the CA's key may be used to verify signatures on
* both certificates and certificate revocations.
*
* extension_factory.create_extension 'keyUsage', 'cRLSign,keyCertSign', true
* ca_cert.add_extension(extension_factory.create_extension
* 'keyUsage', 'cRLSign,keyCertSign', true)
*
* Root CA certificates are self-signed.
*
* ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
*
* The CA certificate is saved to disk so it may be distributed to all the
* users of the keys this CA will sign.
*
* open 'ca_cert.pem', 'w' do |io|
* io.write ca_cert.to_pem
......
* csr_cert.not_after = Time.now + 600
*
* csr_cert.subject = csr.subject
* csr_cert.public_key = csr.public_key
* csr_cert.issuer = ca_cert.subject
*
* extension_factory = OpenSSL::X509::ExtensionFactory.new
* extension_factory.subject_certificate = csr_cert
* extension_factory.issuer_certificate = ca_cert
*
* extension_factory.create_extension 'basicConstraints', 'CA:FALSE'
* extension_factory.create_extension 'keyUsage',
* 'keyEncipherment,dataEncipherment,digitalSignature'
* extension_factory.create_extension 'subjectKeyIdentifier', 'hash'
* csr_cert.add_extension(extension_factory.create_extension
* 'basicConstraints', 'CA:FALSE')
* csr_cert.add_extension(extension_factory.create_extension
* 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
* csr_cert.add_extension(extension_factory.create_extension
* 'subjectKeyIdentifier', 'hash')
*
* csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
*
* open 'csr_cert.pem', 'w' do |io|
* io.write csr_cert.to_pem
* end
*
* == SSL and TLS Connections
*
* Using our created key and certificate we can create an SSL or TLS connection.
(2-2/2)