Skip to content

Instantly share code, notes, and snippets.

@pzb
Last active October 14, 2016 05:55
Show Gist options
  • Save pzb/84f867ed5a330093cfbf to your computer and use it in GitHub Desktop.
Save pzb/84f867ed5a330093cfbf to your computer and use it in GitHub Desktop.
Bytes: 1011
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Livingston, O=Aperture Science Corporation, CN=Aperture Science Portal Certificate Authority - R4
Validity
Not Before: Jan 1 00:00:01 2004 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C=US, ST=Montana, L=Livingston, O=Aperture Science Corporation, CN=Aperture Science Portal Certificate Authority - R4
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:0c:91:93:0b:06:0f:9a:f2:5e:14:80:b6:7b:
4b:b4:54:0c:61:ad:8b:61:1d:6c:c4:dd:70:a3:6f:
27:56:c7:53:1e:a1:bf:37:91:81:85:da:4f:41:2a:
39:49:d9:14:34:d6:fb:37:a5:d5:86:c3:54:c2:c9:
4b:e3:76:eb:ea:eb:e3:af:b3:0a:78:e5:5b:aa:ca:
1f:42:8e:96:1c:fa:ad:1c:73:4f:c9:bd:7a:56:88:
23:1d:9b:19:64:65:f5:75:2c:83:9c:0d:cc:e3:44:
99:3c:9a:f5:c7:53:cc:dd:da:83:dc:f2:7b:23:b5:
ab:36:06:0a:3a:6a:22:1f:de:6e:34:28:c9:86:a6:
61:2b:58:73:76:cb:bf:6f:f1:40:92:d9:f8:59:55:
13:a9:26:8d:8c:b6:bb:8b:a9:57:4d:e3:70:9a:1d:
cc:51:5b:5d:a9:67:13:e8:84:f2:a2:92:60:8b:87:
ee:92:17:9c:ae:ef:f6:c6:b6:88:ba:25:16:62:0e:
45:0f:43:43:26:12:e7:25:61:87:5f:d4:84:e7:d8:
c1:f8:74:2d:55:78:10:40:cd:ed:f8:8f:81:ca:c9:
ed:6a:c3:94:e4:c5:6d:23:d3:d4:c8:8d:8b:3f:a2:
cc:3c:b7:45:d6:1a:b3:18:50:bb:b4:62:00:da:f5:
ab:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
66:F2:85:0E:A2:30:F9:EA:F5:0A:FB:98:5A:4E:A9:44:69:37:B0:51
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
98:f5:10:34:59:84:19:71:12:df:62:ae:e3:9a:fb:66:57:30:
ac:ee:3f:b0:10:d8:67:2f:21:ad:8b:49:e7:55:ef:fd:59:4c:
bc:31:6f:f3:af:e5:f4:83:2f:51:cb:0e:20:59:30:e4:1b:71:
5b:31:40:f2:8c:de:67:2e:8e:3d:5f:35:ac:ec:3c:fd:dc:f4:
98:96:fa:a1:24:c5:38:06:26:82:a0:f5:26:33:4a:29:ed:45:
35:fb:29:ff:06:dc:c5:90:39:12:df:52:51:f5:dd:c4:b0:f1:
2b:4d:4a:66:ff:52:51:1f:35:4f:70:f9:80:97:e0:16:e6:4d:
3f:0f:e8:65:67:36:82:18:a4:6b:3d:eb:3f:94:c0:1c:8d:06:
4c:34:b7:93:58:62:ad:69:ec:27:74:2f:02:1f:45:0c:47:b5:
fb:81:09:cc:ec:74:b8:07:94:0b:54:32:59:42:f2:02:2f:04:
bb:0f:19:20:9f:52:a9:ef:a1:8a:99:b2:82:1b:bb:55:3a:f5:
97:c0:6c:0c:80:6f:c1:2b:e7:57:39:d5:b5:a9:2d:f6:17:dc:
4b:a4:5c:9a:48:89:43:fc:8b:f4:bb:7a:9a:71:28:9e:9e:ef:
83:b7:f7:dc:6a:8f:55:74:75:26:12:97:40:05:c8:60:a0:6c:
d8:9c:98:82
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB01vbnRhbmExEzARBgNVBAcTCkxpdmluZ3N0b24xJTAjBgNVBAoT
HEFwZXJ0dXJlIFNjaWVuY2UgQ29ycG9yYXRpb24xOzA5BgNVBAMTMkFwZXJ0dXJl
IFNjaWVuY2UgUG9ydGFsIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIFI0MB4XDTA0
MDEwMTAwMDAwMVoXDTI4MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIEwdNb250YW5hMRMwEQYDVQQHEwpMaXZpbmdzdG9uMSUwIwYDVQQKExxBcGVy
dHVyZSBTY2llbmNlIENvcnBvcmF0aW9uMTswOQYDVQQDEzJBcGVydHVyZSBTY2ll
bmNlIFBvcnRhbCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBSNDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANMMkZMLBg+a8l4UgLZ7S7RUDGGti2EdbMTd
cKNvJ1bHUx6hvzeRgYXaT0EqOUnZFDTW+zel1YbDVMLJS+N26+rr46+zCnjlW6rK
H0KOlhz6rRxzT8m9elaIIx2bGWRl9XUsg5wNzONEmTya9cdTzN3ag9zyeyO1qzYG
CjpqIh/ebjQoyYamYStYc3bLv2/xQJLZ+FlVE6kmjYy2u4upV03jcJodzFFbXaln
E+iE8qKSYIuH7pIXnK7v9sa2iLolFmIORQ9DQyYS5yVhh1/UhOfYwfh0LVV4EEDN
7fiPgcrJ7WrDlOTFbSPT1MiNiz+izDy3RdYasxhQu7RiANr1q9kCAwEAAaNCMEAw
HQYDVR0OBBYEFGbyhQ6iMPnq9Qr7mFpOqURpN7BRMA8GA1UdEwEB/wQFMAMBAf8w
DgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCY9RA0WYQZcRLfYq7j
mvtmVzCs7j+wENhnLyGti0nnVe/9WUy8MW/zr+X0gy9Ryw4gWTDkG3FbMUDyjN5n
Lo49XzWs7Dz93PSYlvqhJMU4BiaCoPUmM0op7UU1+yn/BtzFkDkS31JR9d3EsPEr
TUpm/1JRHzVPcPmAl+AW5k0/D+hlZzaCGKRrPes/lMAcjQZMNLeTWGKtaewndC8C
H0UMR7X7gQnM7HS4B5QLVDJZQvICLwS7Dxkgn1Kp76GKmbKCG7tVOvWXwGwMgG/B
K+dXOdW1qS32F9xLpFyaSIlD/Iv0u3qacSienu+Dt/fcao9VdHUmEpdABchgoGzY
nJiC
-----END CERTIFICATE-----
Bytes: 1115
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Livingston, O=Aperture Science Corporation, CN=Aperture Science Portal Certificate Authority - R4
Validity
Not Before: Jan 1 00:00:01 2011 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: O=Eggman, OU=Internet Authority 1A
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:45:8a:1a:42:39:d5:6b:d5:60:12:13:8a:81:
be:cb:3a:9c:54:8f:79:3b:e8:68:2b:71:ac:98:a8:
e9:14:d0:35:b3:a3:59:78:e0:c4:33:0d:d0:7f:a7:
16:7d:15:a4:b9:e8:17:fe:53:df:a2:f2:bd:bc:b6:
8c:9c:e3:b5:19:54:dd:b1:63:56:b7:d8:01:78:3d:
35:ed:ed:3c:d7:3a:81:22:6a:a5:8f:50:ea:93:78:
11:f2:12:6b:6a:b2:0c:92:09:8b:c7:54:dc:73:9f:
6f:2c:fe:ab:a0:33:5a:a0:de:59:b2:75:19:06:38:
73:52:05:4b:8e:31:46:db:b5:3a:34:e6:29:f9:c2:
5c:d9:6a:57:09:c9:95:5a:84:a8:06:cf:32:b2:aa:
3d:02:f0:44:d5:07:5e:0a:93:2b:8a:97:87:4c:d1:
ed:80:db:cf:cd:58:80:09:c0:a0:ba:f9:d7:1a:67:
8d:17:33:1a:43:a3:aa:f9:24:95:87:0e:48:b4:79:
cd:64:aa:b6:5f:44:3b:ac:9a:8e:22:64:fb:f4:08:
c8:9b:69:3e:32:31:47:42:31:d0:28:31:da:ea:24:
4c:4c:c0:84:23:b0:9b:8b:58:25:b5:00:68:da:96:
33:45:04:a9:58:81:c7:23:f4:d1:7e:fd:74:cd:af:
1d:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
01:92:89:3E:04:0D:5E:9B:EE:FD:2A:12:7D:F6:9C:EA:45:10:94:D4
X509v3 Authority Key Identifier:
keyid:66:F2:85:0E:A2:30:F9:EA:F5:0A:FB:98:5A:4E:A9:44:69:37:B0:51
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: http://a.b.cd/cps
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Authority Information Access:
CA Issuers - URI:http://a.b.cd/r4.cer
OCSP - URI:http://a.b.cd
X509v3 CRL Distribution Points:
Full Name:
URI:http://a.b.cd/r4.crl
Signature Algorithm: sha256WithRSAEncryption
30:4e:bc:2a:03:d7:06:91:33:9c:4b:a2:76:bd:8f:e1:77:90:
82:5d:88:c1:2c:74:5d:fa:33:3d:c7:dc:54:39:99:e0:a2:7f:
76:44:33:05:39:61:67:68:f7:f2:a6:dd:45:ce:ab:28:c5:7a:
0c:54:5c:f1:97:cf:69:48:47:be:f4:e3:65:ba:58:13:33:cf:
9f:10:e8:91:13:62:ba:53:b2:77:0b:73:cb:f9:7e:a9:bd:76:
f4:eb:34:3a:d1:8c:6d:d4:cf:c1:e6:8d:2e:5f:e0:39:9c:fd:
f9:d2:31:44:7e:48:a6:3e:9c:c6:6b:32:56:00:ad:b2:2a:77:
2f:61:32:3e:dd:57:d3:31:99:a2:ec:a9:d4:a9:11:0d:31:7b:
12:e3:46:60:0e:44:7b:c8:da:87:5d:3e:39:c3:32:ed:94:c4:
40:01:44:be:c7:65:90:d7:38:a6:ff:56:cd:f1:9c:86:de:c2:
62:dd:45:ef:84:91:54:4f:01:35:65:4a:fc:f3:10:d6:7e:ec:
fc:05:38:ef:3e:d0:3f:61:a5:5c:f9:f9:1c:da:f3:6e:61:18:
db:2b:9b:29:d4:43:15:61:13:9f:0c:d7:87:69:2b:f8:be:3e:
00:ca:b8:2b:82:5b:15:9f:f8:8a:ca:fb:6b:44:fd:7d:89:8c:
d3:fc:5f:f5
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIBCjANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB01vbnRhbmExEzARBgNVBAcTCkxpdmluZ3N0b24xJTAjBgNVBAoT
HEFwZXJ0dXJlIFNjaWVuY2UgQ29ycG9yYXRpb24xOzA5BgNVBAMTMkFwZXJ0dXJl
IFNjaWVuY2UgUG9ydGFsIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIFI0MB4XDTEx
MDEwMTAwMDAwMVoXDTIwMTIzMTIzNTk1OVowMTEPMA0GA1UEChMGRWdnbWFuMR4w
HAYDVQQLExVJbnRlcm5ldCBBdXRob3JpdHkgMUEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDjRYoaQjnVa9VgEhOKgb7LOpxUj3k76GgrcayYqOkU0DWz
o1l44MQzDdB/pxZ9FaS56Bf+U9+i8r28toyc47UZVN2xY1a32AF4PTXt7TzXOoEi
aqWPUOqTeBHyEmtqsgySCYvHVNxzn28s/qugM1qg3lmydRkGOHNSBUuOMUbbtTo0
5in5wlzZalcJyZVahKgGzzKyqj0C8ETVB14KkyuKl4dM0e2A28/NWIAJwKC6+dca
Z40XMxpDo6r5JJWHDki0ec1kqrZfRDusmo4iZPv0CMibaT4yMUdCMdAoMdrqJExM
wIQjsJuLWCW1AGjaljNFBKlYgccj9NF+/XTNrx25AgMBAAGjggEQMIIBDDAdBgNV
HQ4EFgQUAZKJPgQNXpvu/SoSffac6kUQlNQwHwYDVR0jBBgwFoAUZvKFDqIw+er1
CvuYWk6pRGk3sFEwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHSAEKzApMCcGBFUd
IAAwHzAdBggrBgEFBQcCARYRaHR0cDovL2EuYi5jZC9jcHMwDgYDVR0PAQH/BAQD
AgGGMEsGCCsGAQUFBwEBBD8wPTAgBggrBgEFBQcwAoYUaHR0cDovL2EuYi5jZC9y
NC5jZXIwGQYIKwYBBQUHMAGGDWh0dHA6Ly9hLmIuY2QwJQYDVR0fBB4wHDAaoBig
FoYUaHR0cDovL2EuYi5jZC9yNC5jcmwwDQYJKoZIhvcNAQELBQADggEBADBOvCoD
1waRM5xLona9j+F3kIJdiMEsdF36Mz3H3FQ5meCif3ZEMwU5YWdo9/Km3UXOqyjF
egxUXPGXz2lIR77042W6WBMzz58Q6JETYrpTsncLc8v5fqm9dvTrNDrRjG3Uz8Hm
jS5f4Dmc/fnSMUR+SKY+nMZrMlYArbIqdy9hMj7dV9MxmaLsqdSpEQ0xexLjRmAO
RHvI2oddPjnDMu2UxEABRL7HZZDXOKb/Vs3xnIbewmLdRe+EkVRPATVlSvzzENZ+
7PwFOO8+0D9hpVz5+Rza825hGNsrmynUQxVhE58M14dpK/i+PgDKuCuCWxWf+IrK
+2tE/X2JjNP8X/U=
-----END CERTIFICATE-----
Bytes: 1015
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12329321568948711455 (0xab1a8ca4b6bff01f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Eggman, OU=Internet Authority 1A
Validity
Not Before: Feb 26 16:00:00 2015 GMT
Not After : Feb 28 15:59:59 2016 GMT
Subject: CN=*.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f4:91:94:09:45:d7:f2:db:ed:d5:4e:e3:0c:39:
9d:4c:0b:e4:b8:47:0a:a6:75:86:2f:57:2a:c0:47:
fc:1e:20:4e:98:9f:42:cc:a9:33:14:a5:83:0b:02:
84:d4:58:97:2d:48:42:04:55:34:c3:c0:05:9d:78:
a0:36:59:0d:69:16:3a:ff:48:02:7a:40:a8:32:f3:
d8:3f:f0:8f:72:ed:87:3c:71:9a:62:4e:97:3d:98:
e6:55:39:e5:ff:e9:19:96:4f:06:3c:06:79:30:7b:
07:20:7e:19:fe:e4:c5:87:45:ae:23:1e:1f:c2:3f:
57:63:09:15:ff:66:d2:db:28:8f:b8:1f:c7:df:17:
63:27:0c:c7:61:ef:63:9f:63:44:4f:23:21:e1:a9:
b7:1d:ab:63:5f:b6:bd:6e:89:13:3d:09:2f:f2:15:
c0:61:9c:2d:1f:14:a7:e2:19:78:2f:a1:25:09:d9:
15:51:bd:a2:66:51:30:97:ad:c2:13:f7:b7:2a:d1:
f7:74:86:76:50:fa:dc:2f:fe:08:b5:d4:a0:78:75:
ae:0d:a1:00:11:76:a0:08:72:99:4b:e9:52:db:2c:
f6:cd:39:56:a4:78:58:6a:7f:6e:fc:88:4e:f5:1f:
be:ea:5f:c7:50:ff:14:f6:0c:3f:94:3f:e4:be:80:
49:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:66:F2:85:0E:A2:30:F9:EA:F5:0A:FB:98:5A:4E:A9:44:69:37:B0:51
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: http://a.b.cd/cps
X509v3 Subject Alternative Name:
DNS:*.example.org, DNS:example.org
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://a.b.cd/1a.crl
Authority Information Access:
CA Issuers - URI:http://a.b.cd/1a.cer
OCSP - URI:http://a.b.cd
Signature Algorithm: sha256WithRSAEncryption
0f:a5:61:e2:52:5e:67:a6:31:f0:e0:15:cc:6e:fc:ba:cf:c6:
13:eb:91:42:c0:44:67:10:66:49:3b:6e:66:56:24:89:02:73:
e5:11:ea:d8:c7:96:75:c7:cd:39:a5:c5:a0:a8:b8:31:26:1e:
21:a9:97:d7:14:f3:44:a8:8b:b7:c0:b0:91:24:c7:08:58:bc:
bb:5a:89:3e:a2:2f:23:59:5e:3c:8a:ac:0d:37:53:80:02:f0:
3d:7e:e2:d8:bc:38:02:e8:ec:29:71:0c:93:c4:19:e4:39:99:
a9:dc:d1:81:82:bf:6f:23:f7:3e:4e:b6:16:e8:77:44:8d:97:
9c:1f:86:62:ad:f8:e1:ce:41:ea:e5:9a:d2:44:4d:f5:42:40:
6f:5e:37:17:80:b2:13:44:52:c8:13:06:54:28:46:0a:4f:58:
e7:88:77:57:ae:81:54:a7:49:cf:6a:22:30:e1:66:28:d6:c5:
19:b9:62:e5:63:5e:35:bc:ca:ca:a2:6a:08:8b:19:61:00:c1:
97:d2:d5:39:4b:58:8e:f9:ea:53:b8:41:69:7d:da:94:38:00:
db:d9:77:96:83:41:96:f8:5d:a2:b2:c0:93:d5:f3:dc:87:21:
17:c0:fb:e1:9e:a7:db:46:99:7d:73:06:13:11:d5:c5:fc:2f:
af:c6:0c:a0
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIJAKsajKS2v/AfMA0GCSqGSIb3DQEBCwUAMDExDzANBgNV
BAoTBkVnZ21hbjEeMBwGA1UECxMVSW50ZXJuZXQgQXV0aG9yaXR5IDFBMB4XDTE1
MDIyNjE2MDAwMFoXDTE2MDIyODE1NTk1OVowGDEWMBQGA1UEAwwNKi5leGFtcGxl
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSRlAlF1/Lb7dVO
4ww5nUwL5LhHCqZ1hi9XKsBH/B4gTpifQsypMxSlgwsChNRYly1IQgRVNMPABZ14
oDZZDWkWOv9IAnpAqDLz2D/wj3LthzxxmmJOlz2Y5lU55f/pGZZPBjwGeTB7ByB+
Gf7kxYdFriMeH8I/V2MJFf9m0tsoj7gfx98XYycMx2HvY59jRE8jIeGptx2rY1+2
vW6JEz0JL/IVwGGcLR8Up+IZeC+hJQnZFVG9omZRMJetwhP3tyrR93SGdlD63C/+
CLXUoHh1rg2hABF2oAhymUvpUtss9s05VqR4WGp/bvyITvUfvupfx1D/FPYMP5Q/
5L6ASfsCAwEAAaOCASUwggEhMB8GA1UdIwQYMBaAFGbyhQ6iMPnq9Qr7mFpOqURp
N7BRMDQGA1UdIAQtMCswKQYGZ4EMAQIBMB8wHQYIKwYBBQUHAgEWEWh0dHA6Ly9h
LmIuY2QvY3BzMCUGA1UdEQQeMByCDSouZXhhbXBsZS5vcmeCC2V4YW1wbGUub3Jn
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
JQYDVR0fBB4wHDAaoBigFoYUaHR0cDovL2EuYi5jZC8xYS5jcmwwSwYIKwYBBQUH
AQEEPzA9MCAGCCsGAQUFBzAChhRodHRwOi8vYS5iLmNkLzFhLmNlcjAZBggrBgEF
BQcwAYYNaHR0cDovL2EuYi5jZDANBgkqhkiG9w0BAQsFAAOCAQEAD6Vh4lJeZ6Yx
8OAVzG78us/GE+uRQsBEZxBmSTtuZlYkiQJz5RHq2MeWdcfNOaXFoKi4MSYeIamX
1xTzRKiLt8CwkSTHCFi8u1qJPqIvI1lePIqsDTdTgALwPX7i2Lw4AujsKXEMk8QZ
5DmZqdzRgYK/byP3Pk62Fuh3RI2XnB+GYq344c5B6uWa0kRN9UJAb143F4CyE0RS
yBMGVChGCk9Y54h3V66BVKdJz2oiMOFmKNbFGbli5WNeNbzKyqJqCIsZYQDBl9LV
OUtYjvnqU7hBaX3alDgA29l3loNBlvhdorLAk9Xz3IchF8D74Z6n20aZfXMGExHV
xfwvr8YMoA==
-----END CERTIFICATE-----
Code that generated this chain follows.
#!/usr/bin/env ruby
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'openssl'
# Set up Names and Keys for all the certs
ROOT = [["C", "US", OpenSSL::ASN1::PRINTABLESTRING],
["ST", "Montana", OpenSSL::ASN1::PRINTABLESTRING],
["L", "Livingston", OpenSSL::ASN1::PRINTABLESTRING],
["O", "Aperture Science Corporation", OpenSSL::ASN1::PRINTABLESTRING],
["CN", "Aperture Science Portal Certificate Authority - R4", OpenSSL::ASN1::PRINTABLESTRING]]
root_key = OpenSSL::PKey::RSA.new(2048)
SUBORDINATE = [["O", "Eggman", OpenSSL::ASN1::PRINTABLESTRING],
["OU", "Internet Authority 1A", OpenSSL::ASN1::PRINTABLESTRING]]
subordinate_key = OpenSSL::PKey::RSA.new(2048)
# PrintableString does not include '*', so use a different DirectoryString
# RFC 5280 s. 4.1.2.6 says to use UTF8String
# ("MUST use PrintableString or UTF8String")
END_ENTITY = [["CN", "*.example.org", OpenSSL::ASN1::UTF8STRING]]
END_ENTITY_SANS = "DNS:*.example.org, DNS:example.org"
end_entity_key = OpenSSL::PKey::RSA.new(2048)
# Generate all the certs
root_cert = OpenSSL::X509::Certificate.new
root_cert.version = 0x2
root_cert.serial = 0x0
root_cert.not_before = Time.new(2004,01,01,00,00,01)
root_cert.not_after = Time.new(2028,12,31,23,59,59)
root_cert.subject = OpenSSL::X509::Name.new(ROOT)
root_cert.issuer = root_cert.subject
root_cert.public_key = root_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = root_cert
ef.issuer_certificate = root_cert
root_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
root_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", true))
# DigitalSignature is needed to sign OCSP responses (http://goo.gl/DExis9)
root_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyCertSign, cRLSign", true))
root_cert.sign(root_key, OpenSSL::Digest::SHA256.new)
puts "Bytes: #{root_cert.to_der.length}"
puts root_cert.to_text
puts root_cert.to_pem
puts ""
issuer_cert = OpenSSL::X509::Certificate.new
issuer_cert.version = 0x2
issuer_cert.serial = 0xa
issuer_cert.not_before = Time.new(2011,01,01,00,00,01)
issuer_cert.not_after = Time.new(2020,12,31,23,59,59)
issuer_cert.subject = OpenSSL::X509::Name.new(SUBORDINATE)
issuer_cert.issuer = root_cert.subject
issuer_cert.public_key = subordinate_key
ef = OpenSSL::X509::ExtensionFactory.new
# The CPS URI is Optional
ef.config = OpenSSL::Config.parse('
[polsect]
policyIdentifier = 2.5.29.32.0
CPS.1="http://a.b.cd/cps"
')
ef.subject_certificate = issuer_cert
ef.issuer_certificate = root_cert
issuer_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", false))
issuer_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
issuer_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE, pathlen:0", true))
# Baseline Requirements 9.3.3 have MAY or MUST for certificatePolicies
# depending on relationship between Root and Subordinate CA
issuer_cert.add_extension(ef.create_extension("certificatePolicies","@polsect"))
# DigitalSignature is needed to sign OCSP responses (http://goo.gl/DExis9)
issuer_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyCertSign, cRLSign", true))
issuer_cert.add_extension(ef.create_extension("authorityInfoAccess","caIssuers;URI:http://a.b.cd/r4.cer,OCSP;URI:http://a.b.cd"))
issuer_cert.add_extension(ef.create_extension("crlDistributionPoints","URI:http://a.b.cd/r4.crl"))
issuer_cert.sign(root_key, OpenSSL::Digest::SHA256.new)
puts "Bytes: #{issuer_cert.to_der.length}"
puts issuer_cert.to_text
puts issuer_cert.to_pem
puts ""
ee_cert = OpenSSL::X509::Certificate.new
ee_cert.version = 0x2
ee_cert.serial = OpenSSL::BN.rand(64, -1, 0)
ee_cert.not_before = Time.new(2015,02,26,16,00,00)
ee_cert.not_after = Time.new(2016,02,28,15,59,59)
ee_cert.subject = OpenSSL::X509::Name.new(END_ENTITY)
ee_cert.issuer = issuer_cert.subject
ee_cert.public_key = end_entity_key
ef = OpenSSL::X509::ExtensionFactory.new
# The CPS URI is Optional
ef.config = OpenSSL::Config.parse('
[polsect]
policyIdentifier = 2.23.140.1.2.1
CPS.1="http://a.b.cd/cps"
')
ef.subject_certificate = ee_cert
ef.issuer_certificate = issuer_cert
# Python skips the first extension when trying to find the SAN
# extension, so ensure SAN is not the first extension
# http://bugs.python.org/issue13034
ee_cert.add_extension(ef.create_extension("authorityKeyIdentifier", "keyid:always", false))
ee_cert.add_extension(ef.create_extension("certificatePolicies","@polsect"))
ee_cert.add_extension(ef.create_extension("subjectAltName",END_ENTITY_SANS))
# RSA can be used for both Identification and Key Exchange, so two usages are needed
ee_cert.add_extension(ef.create_extension("keyUsage","digitalSignature,keyEncipherment", true))
ee_cert.add_extension(ef.create_extension("extendedKeyUsage", "serverAuth, clientAuth"))
ee_cert.add_extension(ef.create_extension("crlDistributionPoints","URI:http://a.b.cd/1a.crl"))
ee_cert.add_extension(ef.create_extension("authorityInfoAccess","caIssuers;URI:http://a.b.cd/1a.cer,OCSP;URI:http://a.b.cd"))
ee_cert.sign(subordinate_key, OpenSSL::Digest::SHA256.new)
puts "Bytes: #{ee_cert.to_der.length}"
puts ee_cert.to_text
puts ee_cert.to_pem
# Print ourself
puts "\nCode that generated this chain follows.\n"
puts File.read($0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment