Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Usage examples of ruby’s openssl lib
require 'openssl'
require 'date'
require 'time'
# Create key
key1 =
open("private_key.pem", "w") do |io| io.write(key1.to_pem) end
open("public_key.pem", "w") do |io| io.write(key1.public_key.to_pem) end
# Export key
cipher ="AES-128-CBC")
pass_phrase = "this is my secure pass phrase"
key1_secure = key1.export(cipher, pass_phrase)
open("", "w") do |io| io.write(key1_secure) end
# Load key
key2 ="private_key.pem")
key3 ="public_key.pem"))
# Load encrypted key
key4_pem ="")
key4 =, pass_phrase)
# Create cert
name = OpenSSL::X509::Name.parse("CN=auralis/DC=topalis/DC=com")
cert =
cert.version = 2
cert.serial = 0
cert.not_before =
cert.not_after = cert.not_before + (60*60*24*365)
puts "cert.not_before=#{cert.not_before}"
puts "cert.not_after=#{cert.not_after}"
cert.public_key = key1.public_key
cert.subject = name
# Sign cert
cert.issuer = name
cert.sign key1,
open("certificate.pem", "w") do |io| io.write(cert.to_pem) end
# Load cert
cert2 ="certificate.pem"))
# Verify cert
puts("cert2.verify key1=#{cert2.verify key1}")
# Create CA key
ca_key =
open("ca_key.pem", "w") do |io| io.write(ca_key.export(cipher, pass_phrase)) end
# Create CA cert
ca_name = OpenSSL::X509::Name.parse("CN=ca/DC=topalis/DC=com")
ca_cert =
ca_cert.serial = 0
ca_cert.version = 2
ca_cert.not_before =
ca_cert.not_after = ca_cert.not_before + (60*60*24*365)
ca_cert.public_key = ca_key.public_key
ca_cert.subject = ca_name
ca_cert.issuer = ca_name
extension_factory =
extension_factory.subject_certificate = ca_cert
extension_factory.issuer_certificate = ca_cert
extension_factory.create_extension("subjectKeyIdentifier", "hash")
extension_factory.create_extension("basicConstraints", "CA:TRUE", true)
extension_factory.create_extension("keyUsage", "cRLSign,keyCertSign", true)
open("ca_cert.pem", "w") do |io| io.write(ca_cert.to_pem) end
# Sign file
# openssl smime -sign -in example.mobileconfig -out signed2.mobileconfig -signer ca_cert.pem -inkey ca_key.pem -outform der -nodetach
profile ="LBS_BausparApp.mobileprovision")
profile_signed = OpenSSL::PKCS7.sign(ca_cert, ca_key, profile, [], OpenSSL::PKCS7::BINARY)
open("signed.mobileconfig", "w") do |io| io.write(profile_signed.to_der) end
# Encrypt file
profile_encrypted = OpenSSL::PKCS7::encrypt([ca_cert], profile_signed.to_der, cipher, OpenSSL::PKCS7::BINARY)
open("encrypted.mobileconfig", "w") do |io| io.write(profile_encrypted) end
# Decrypt file
profile_encrypted2 ="encrypted.mobileconfig"))
profile_decrypted = profile_encrypted2.decrypt(ca_key, ca_cert)
profile_signed2 =
puts "profile_signed2.signers()[0].name=#{profile_signed2.signers()[0].name}"
# Verify
# openssl smime -verify -inform der -in signed.mobileconfig -signer ca_cert.pem
store =
puts "profile_signed2.verify([ca_cert], store)=#{profile_signed2.verify([ca_cert], store)}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment