Skip to content

Instantly share code, notes, and snippets.

@pzb
Created November 18, 2014 16:56
Show Gist options
  • Save pzb/6593035ec1917b46d0e1 to your computer and use it in GitHub Desktop.
Save pzb/6593035ec1917b46d0e1 to your computer and use it in GitHub Desktop.
#!/usr/bin/env ruby
require 'openssl'
ROOT_KEY='rootca.key'
ISSUER_KEY='issuerca.key'
EE_KEY='ee.key'
if File.exist? ROOT_KEY
print "Using existing root key\n"
root_key = OpenSSL::PKey::RSA.new(File.read(ROOT_KEY))
else
root_key = OpenSSL::PKey::RSA.new(2048)
File.open(ROOT_KEY, "w+") do |f|
f.write(root_key.to_pem)
end
end
root_cert = OpenSSL::X509::Certificate.new
root_cert.version = 0x2
root_cert.serial = 0xa07ad617eff0426a
root_cert.not_before = Time.new(2004,01,01,00,00,01)
root_cert.not_after = Time.new(2028,12,31,23,59,59)
root_cert.subject = OpenSSL::X509::Name.new([
["C", "XX", OpenSSL::ASN1::PRINTABLESTRING],
["O", "Untrusted Org", OpenSSL::ASN1::PRINTABLESTRING],
["OU", "For Testing Only", OpenSSL::ASN1::PRINTABLESTRING],
["CN", "Untrusted Testing Root CA", OpenSSL::ASN1::PRINTABLESTRING]
])
root_cert.issuer = root_cert.subject
root_cert.public_key = root_key.public_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = root_cert
ef.issuer_certificate = root_cert
root_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
root_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", true))
root_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyCertSign, cRLSign", true))
root_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
root_cert.sign(root_key, OpenSSL::Digest::SHA1.new)
print root_cert.to_text
File.open("rootca.crt","w") do |f|
f.write(root_cert.to_pem)
end
File.open("rootca.cer","w") do |f|
f.write(root_cert.to_der)
end
if File.exist? ISSUER_KEY
print "Using existing issuer key\n"
issuer_key = OpenSSL::PKey::RSA.new(File.read(ISSUER_KEY))
else
issuer_key = OpenSSL::PKey::RSA.new(2048)
File.open(ISSUER_KEY, "w+") do |f|
f.write(issuer_key.to_pem)
end
end
issuer_cert = OpenSSL::X509::Certificate.new
issuer_cert.version = 0x2
issuer_cert.serial = 0x110ce5df17de48e8
issuer_cert.not_before = Time.new(2011,01,01,00,00,01)
issuer_cert.not_after = Time.new(2020,12,31,23,59,59)
issuer_cert.subject = OpenSSL::X509::Name.new([
["C", "US", OpenSSL::ASN1::PRINTABLESTRING],
["O", "Untrusted", OpenSSL::ASN1::PRINTABLESTRING],
["OU", "For Testing Only", OpenSSL::ASN1::PRINTABLESTRING],
["CN", "Untrusted Testing Issuer CA", OpenSSL::ASN1::PRINTABLESTRING]
])
issuer_cert.issuer = root_cert.subject
issuer_cert.public_key = issuer_key.public_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = issuer_cert
ef.issuer_certificate = root_cert
issuer_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
issuer_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE, pathlen:0", true))
issuer_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyCertSign, cRLSign", true))
issuer_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
issuer_cert.add_extension(ef.create_extension("authorityInfoAccess","caIssuers;URI:http://untrusted.example.com/root.cer"))
issuer_cert.add_extension(ef.create_extension("crlDistributionPoints","URI:http://untrusted.example.com/root.crl"))
issuer_cert.sign(root_key, OpenSSL::Digest::SHA1.new)
print issuer_cert.to_text
File.open("issuerca.crt","w") do |f|
f.write(issuer_cert.to_pem)
end
File.open("issuerca.cer","w") do |f|
f.write(issuer_cert.to_der)
end
if File.exist? EE_KEY
print "Using existing ee key\n"
ee_key = OpenSSL::PKey::RSA.new(File.read(EE_KEY))
else
ee_key = OpenSSL::PKey::RSA.new(2048)
File.open(EE_KEY, "w+") do |f|
f.write(ee_key.to_pem)
end
end
ee_cert = OpenSSL::X509::Certificate.new
ee_cert.version = 0x2
ee_cert.serial = 0x6246df8779304f9a
ee_cert.not_before = Time.new(2014,02,26,16,00,00)
ee_cert.not_after = Time.new(2015,02,28,15,59,59)
ee_cert.subject = OpenSSL::X509::Name.new([
["C", "XX", OpenSSL::ASN1::PRINTABLESTRING],
["CN", "www.example.org", OpenSSL::ASN1::PRINTABLESTRING]
])
ee_cert.issuer = issuer_cert.subject
ee_cert.public_key = ee_key.public_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = issuer_cert
ef.issuer_certificate = root_cert
ee_cert.add_extension(ef.create_extension("subjectAltName","DNS:example.org, DNS:www.example.org, DNS:example.net, DNS:www.example.net"))
ee_cert.add_extension(ef.create_extension("basicConstraints", "CA:FALSE"))
ee_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyEncipherment", true))
ee_cert.add_extension(ef.create_extension("extendedKeyUsage", "serverAuth, clientAuth"))
ee_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
ee_cert.add_extension(ef.create_extension("crlDistributionPoints","URI:http://untrusted.example.com/issuer.crl"))
ee_cert.add_extension(ef.create_extension("authorityInfoAccess","caIssuers;URI:http://untrusted.example.com/issuer.cer"))
ee_cert.sign(issuer_key, OpenSSL::Digest::SHA1.new)
print ee_cert.to_text
File.open("www.example.org.crt","w") do |f|
f.write(ee_cert.to_pem)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment