Last active
August 29, 2015 14:24
-
-
Save Hexa/a8d848ba3e610c90e9b9 to your computer and use it in GitHub Desktop.
クロスルート
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # -*- coding: utf-8 -*- | |
| require 'openssl' | |
| # ルート | |
| old_root_ca_private_key = OpenSSL::PKey::RSA.new(2048) | |
| old_root_ca_cert = OpenSSL::X509::Certificate.new | |
| old_root_ca_cert.version = 2 | |
| issuer = subject = OpenSSL::X509::Name.new | |
| issuer.add_entry('CN', 'Old Root') | |
| old_root_ca_cert.issuer = issuer | |
| old_root_ca_cert.subject = subject | |
| now = Time.now | |
| old_root_ca_cert.not_before = now | |
| old_root_ca_cert.not_after = now + 7 * 24 * 60 * 60 | |
| old_root_ca_cert.serial = 1 | |
| old_root_ca_cert.public_key = old_root_ca_private_key | |
| extension_factory = OpenSSL::X509::ExtensionFactory.new | |
| old_root_ca_cert.add_extension(extension_factory.create_ext('basicConstraints', 'CA:TRUE', true)) | |
| md5 = OpenSSL::Digest::MD5.new | |
| old_root_ca_cert.sign(old_root_ca_private_key, md5) | |
| puts old_root_ca_cert.to_text | |
| File.open('old_root.pem', 'wb') do |file| | |
| file.puts old_root_ca_cert.to_text | |
| file.puts old_root_ca_cert.to_pem | |
| end | |
| File.open('old_root.key', 'wb') do |file| | |
| file.puts old_root_ca_private_key.to_pem | |
| end | |
| # 中間 | |
| ca_private_key = OpenSSL::PKey::RSA.new(2048) | |
| ca_cert = OpenSSL::X509::Certificate.new | |
| ca_cert.version = 2 | |
| subject = OpenSSL::X509::Name.new | |
| subject.add_entry('CN', 'CA') | |
| ca_cert.issuer = issuer | |
| ca_cert.subject = subject | |
| ca_cert.not_before = now | |
| ca_cert.not_after = now + 7 * 24 * 60 * 60 | |
| ca_cert.serial = 2 | |
| ca_cert.public_key = ca_private_key | |
| ca_cert.add_extension(extension_factory.create_ext('basicConstraints', 'CA:TRUE, pathlen:0', true)) | |
| sha256 = OpenSSL::Digest::SHA256.new | |
| ca_cert.sign(old_root_ca_private_key, sha256) | |
| puts ca_cert.to_text | |
| File.open('ca.pem', 'wb') do |file| | |
| file.puts ca_cert.to_text | |
| file.puts ca_cert.to_pem | |
| end | |
| File.open('ca.key', 'wb') do |file| | |
| file.puts ca_private_key.to_pem | |
| end | |
| # サーバ | |
| server_private_key = OpenSSL::PKey::RSA.new(2048) | |
| server_cert = OpenSSL::X509::Certificate.new | |
| server_cert.version = 2 | |
| server_subject = OpenSSL::X509::Name.new | |
| server_subject.add_entry('CN', 'www.example.com') | |
| server_cert.issuer = subject | |
| server_cert.subject = server_subject | |
| server_cert.not_before = now | |
| server_cert.not_after = now + 7 * 24 * 60 * 60 | |
| server_cert.serial = 3 | |
| server_cert.public_key = server_private_key | |
| server_cert.add_extension(extension_factory.create_ext('basicConstraints', 'CA:FALSE', true)) | |
| server_cert.add_extension(extension_factory.create_ext('extendedKeyUsage', 'TLS Web Server Authentication, TLS Web Client Authentication')) | |
| server_cert.add_extension(extension_factory.create_ext('keyUsage', 'Digital Signature, Key Encipherment', true)) | |
| server_cert.sign(ca_private_key, sha256) | |
| puts server_cert.to_text | |
| File.open('server.pem', 'wb') do |file| | |
| file.puts server_cert.to_text | |
| file.puts server_cert.to_pem | |
| end | |
| File.open('server.key', 'wb') do |file| | |
| file.puts server_private_key.to_pem | |
| end | |
| # 新ルート | |
| new_root_ca_private_key = OpenSSL::PKey::RSA.new(2048) | |
| new_root_ca_cert = OpenSSL::X509::Certificate.new | |
| new_root_ca_cert.version = 2 | |
| issuer = subject = OpenSSL::X509::Name.new | |
| issuer.add_entry('CN', 'New Root') | |
| new_root_ca_cert.issuer = issuer | |
| new_root_ca_cert.subject = subject | |
| new_root_ca_cert.not_before = now | |
| new_root_ca_cert.not_after = now + 7 * 24 * 60 * 60 | |
| new_root_ca_cert.serial = 1 | |
| new_root_ca_cert.public_key = new_root_ca_private_key | |
| extension_factory = OpenSSL::X509::ExtensionFactory.new | |
| new_root_ca_cert.add_extension(extension_factory.create_ext('basicConstraints', 'CA:TRUE', true)) | |
| new_root_ca_cert.sign(new_root_ca_private_key, sha256) | |
| puts new_root_ca_cert.to_text | |
| File.open('new_root.pem', 'wb') do |file| | |
| file.puts new_root_ca_cert.to_text | |
| file.puts new_root_ca_cert.to_pem | |
| end | |
| File.open('new_root.key', 'wb') do |file| | |
| file.puts new_root_ca_private_key.to_pem | |
| end | |
| # クロス | |
| cross_ca_cert = OpenSSL::X509::Certificate.new | |
| cross_ca_cert.version = 2 | |
| subject = OpenSSL::X509::Name.new | |
| subject.add_entry('CN', 'Old Root') | |
| cross_ca_cert.issuer = issuer | |
| cross_ca_cert.subject = subject | |
| cross_ca_cert.not_before = now | |
| cross_ca_cert.not_after = now + 7 * 24 * 60 * 60 | |
| cross_ca_cert.serial = 2 | |
| cross_ca_cert.public_key = old_root_ca_private_key | |
| cross_ca_cert.add_extension(extension_factory.create_ext('basicConstraints', 'CA:TRUE, pathlen:1', true)) | |
| cross_ca_cert.sign(new_root_ca_private_key, sha256) | |
| puts cross_ca_cert.to_text | |
| File.open('cross_ca.pem', 'wb') do |file| | |
| file.puts cross_ca_cert.to_text | |
| file.puts cross_ca_cert.to_pem | |
| end | |
| File.open('cross_ca.key', 'wb') do |file| | |
| file.puts old_root_ca_private_key.to_pem | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment