This script generates an SSL CA certificate that can be used to sign other certificates

generate_ca.rb

## Usage: generate_ca.rb NAME
##
## This script generates an SSL CA certificate that can be used to sign
## other certificates.  The certificate is saved to NAME.pem, and the
## key is saved to NAME.key

require 'openssl'

if ARGV.length != 1 
  puts "Usage: generate_ca.rb NAME"
  exit
end

name = ARGV[0]

root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
root_ca = OpenSSL::X509::Certificate.new
root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
root_ca.serial = 1
root_ca.subject = OpenSSL::X509::Name.parse "/DC=org/O=SSLProxy/CN=SSLProxy CA"
root_ca.issuer = root_ca.subject # root CA's are "self-signed"
root_ca.public_key = root_key.public_key
root_ca.not_before = Time.now
root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = root_ca
ef.issuer_certificate = root_ca
root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE,pathlen:2",true))
root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)

#write the generated CA cert and key to file
File.open("#{name}.pem", "wb") { |f| f.print root_ca.to_pem }
File.open("#{name}.key", "wb") { |f| f.print root_key.to_pem }