diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index f3410b6..f964518 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -560,24 +560,29 @@ ossl_debug_set(VALUE self, VALUE val) * cert.public_key = key.public_key * cert.subject = name * * === Certificate Extensions * * You can add extensions to the certificate with * OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate. * * extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert * - * extension_factory.create_extension 'basicConstraints', 'CA:FALSE' - * extension_factory.create_extension 'keyUsage', - * 'keyEncipherment,dataEncipherment,digitalSignature' - * extension_factory.create_extension 'subjectKeyIdentifier', 'hash' + * cert.add_extension(extension_factory.create_extension + * 'basicConstraints', 'CA:FALSE') + * cert.add_extension(extension_factory.create_extension + * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') + * cert.add_extension(extension_factory.create_extension + * 'subjectKeyIdentifier', 'hash') + * + * The list of supported extensions (and in some cases their possible values) + * can be derived from the "objects.h" file in the OpenSSL source code. * * === Signing a Certificate * * To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign * with a digest algorithm. This creates a self-signed cert because we're using * the same name and key to sign the certificate as was used to create the * certificate. * * cert.issuer = name * cert.sign key, OpenSSL::Digest::SHA1.new @@ -631,30 +636,33 @@ ossl_debug_set(VALUE self, VALUE val) * ca_cert.not_after = Time.now + 86400 * * ca_cert.public_key = ca_key.public_key * ca_cert.subject = ca_name * ca_cert.issuer = ca_name * * extension_factory = OpenSSL::X509::ExtensionFactory.new * extension_factory.subject_certificate = ca_cert * extension_factory.issuer_certificate = ca_cert * - * extension_factory.create_extension 'subjectKeyIdentifier', 'hash' + * ca_cert.add_extension(extension_factory.create_extension + * 'subjectKeyIdentifier', 'hash' * * This extension indicates the CA's key may be used as a CA. * - * extension_factory.create_extension 'basicConstraints', 'CA:TRUE', true + * ca_cert.add_extension(extension_factory.create_extension + * 'basicConstraints', 'CA:TRUE', true * * This extension indicates the CA's key may be used to verify signatures on * both certificates and certificate revocations. * - * extension_factory.create_extension 'keyUsage', 'cRLSign,keyCertSign', true + * ca_cert.add_extension(extension_factory.create_extension + * 'keyUsage', 'cRLSign,keyCertSign', true * * Root CA certificates are self-signed. * * ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new * * The CA certificate is saved to disk so it may be distributed to all the * users of the keys this CA will sign. * * open 'ca_cert.pem', 'w' do |io| * io.write ca_cert.to_pem @@ -696,24 +704,26 @@ ossl_debug_set(VALUE self, VALUE val) * csr_cert.not_after = Time.now + 600 * * csr_cert.subject = csr.subject * csr_cert.public_key = csr.public_key * csr_cert.issuer = ca_cert.subject * * extension_factory = OpenSSL::X509::ExtensionFactory.new * extension_factory.subject_certificate = csr_cert * extension_factory.issuer_certificate = ca_cert * - * extension_factory.create_extension 'basicConstraints', 'CA:FALSE' - * extension_factory.create_extension 'keyUsage', - * 'keyEncipherment,dataEncipherment,digitalSignature' - * extension_factory.create_extension 'subjectKeyIdentifier', 'hash' + * csr_cert.add_extension(extension_factory.create_extension + * 'basicConstraints', 'CA:FALSE') + * csr_cert.add_extension(extension_factory.create_extension + * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') + * csr_cert.add_extension(extension_factory.create_extension + * 'subjectKeyIdentifier', 'hash') * * csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new * * open 'csr_cert.pem', 'w' do |io| * io.write csr_cert.to_pem * end * * == SSL and TLS Connections * * Using our created key and certificate we can create an SSL or TLS connection.