Created
May 4, 2016 21:56
-
-
Save mcr/73e10792abd529c5f53562ed275b7c1b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- ruby -*- | |
class OpenSSL::PKey::EC | |
def private? | |
private_key? | |
end | |
end | |
namespace :highway do | |
desc "Create initial self-signed certificate" | |
task :selfsigned => :environment do | |
curve='X25519' | |
#curve='secp112r1' | |
certdir = Rails.root.join('db').join('cert') | |
FileUtils.mkpath(certdir) | |
vendorprivkey=certdir.join("vendor_#{curve}.key") | |
if File.exists?(vendorprivkey) | |
root_key = OpenSSL::PKey.read(File.open(vendorprivkey)) | |
else | |
# the CA's public/private key - 3*1024 + 8 | |
root_key = OpenSSL::PKey::EC.new(curve) | |
root_key.generate_key | |
File.open(vendorprivkey, "w") do |f| f.write root_key.to_pem end | |
end | |
root_ca = OpenSSL::X509::Certificate.new | |
# cf. RFC 5280 - to make it a "v3" certificate | |
root_ca.version = 2 | |
root_ca.serial = 1 | |
root_ca.subject = OpenSSL::X509::Name.parse "/DC=ca/DC=sandelman/CN=Unstrung Highway CA" | |
# root CA's are "self-signed" | |
root_ca.issuer = root_ca.subject | |
#root_ca.public_key = root_key.public_key | |
root_ca.public_key = root_key | |
root_ca.not_before = Time.now | |
# 2 years validity | |
root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 | |
# Extension Factory | |
ef = OpenSSL::X509::ExtensionFactory.new | |
ef.subject_certificate = root_ca | |
ef.issuer_certificate = root_ca | |
root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true)) | |
root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true)) | |
root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false)) | |
root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false)) | |
root_ca.sign(root_key, OpenSSL::Digest::SHA256.new) | |
File.open(certdir.join("vendor_#{curve}.crt"),'w') do |f| | |
f.write root_ca.to_pem | |
end | |
end | |
desc "Create initial self-signed certificate" | |
task :signmic => :environment do | |
key = OpenSSL::PKey::RSA.new 2048 | |
cert = OpenSSL::X509::Certificate.new | |
cert.version = 2 | |
cert.serial = 2 | |
cert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby certificate" | |
cert.issuer = root_ca.subject # root CA is the issuer | |
cert.public_key = key.public_key | |
cert.not_before = Time.now | |
cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity | |
ef = OpenSSL::X509::ExtensionFactory.new | |
ef.subject_certificate = cert | |
ef.issuer_certificate = root_ca | |
cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true)) | |
cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false)) | |
cert.sign(root_key, OpenSSL::Digest::SHA256.new) | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment