class EasyRSA::CA
Public Class Methods
new(ca_name=nil, bits=4096, &block)
click to toggle source
# File lib/easyrsa/ca.rb, line 8 def initialize(ca_name=nil, bits=4096, &block) # CA Name to generate cert for begin if ca_name.eql? nil raise EasyRSA::CA::MissingParameter, "Please provide a 'ca name', for the certificates' CN field. This should be in the format, 'CN=ca/DC=example/DC=com' for 'ca.example.com'" end @ca_name = OpenSSL::X509::Name.parse ca_name rescue TypeError => e fail EasyRSA::CA::InvalidCAName, "Please provide a 'ca name', for the certificates' CN field. This should be in the format, 'CN=ca/DC=example/DC=com' for 'ca.example.com'" end # Generate Private Key if bits < 2048 raise EasyRSA::CA::BitLengthToWeak, "Please select a bit length greater than 2048. Default is 4096. You chose '#{bits}'" end @ca_key = OpenSSL::PKey::RSA.new(bits) # Instantiate a new certificate @ca_cert = OpenSSL::X509::Certificate.new # This cert should never be valid before now @ca_cert.not_before = Time.now # Set it to version @ca_cert.version = 2 # Generate and assign the serial @ca_cert.serial = 0 instance_eval(&block) if block_given? end
Public Instance Methods
generate(validfor=10)
click to toggle source
# File lib/easyrsa/ca.rb, line 44 def generate(validfor=10) # Set the expiration date @ca_cert.not_after = EasyRSA::years_from_now(validfor) # Add the public key @ca_cert.public_key = @ca_key.public_key # Set the CA Cert Subject @ca_cert.subject = @ca_name # Set the CA Cert Subject gen_issuer # Add extensions add_extensions # Sign the cert sign_cert { key: @ca_key.to_pem, crt: @ca_cert.to_pem } end
Private Instance Methods
add_extensions()
click to toggle source
Add Extensions needed
# File lib/easyrsa/ca.rb, line 86 def add_extensions ef = OpenSSL::X509::ExtensionFactory.new ef.subject_certificate = @ca_cert ef.issuer_certificate = @ca_cert @ca_cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash') @ca_cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true) @ca_cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign', true) end
gen_issuer()
click to toggle source
Cert issuer details
# File lib/easyrsa/ca.rb, line 71 def gen_issuer name = "/C=#{EasyRSA::Config.country}" name += "/ST=#{EasyRSA::Config.state}" unless !EasyRSA::Config.state || EasyRSA::Config.state.empty? name += "/L=#{EasyRSA::Config.city}" name += "/O=#{EasyRSA::Config.company}" name += "/OU=#{EasyRSA::Config.orgunit}" name += "/CN=#{EasyRSA::Config.server}" name += "/name=#{EasyRSA::Config.name}" unless !EasyRSA::Config.name || EasyRSA::Config.name.empty? name += "/name=#{EasyRSA::Config.orgunit}" if !EasyRSA::Config.name || EasyRSA::Config.name.empty? name += "/emailAddress=#{EasyRSA::Config.email}" @ca_cert.issuer = OpenSSL::X509::Name.parse(name) end
sign_cert()
click to toggle source
Sign cert with CA
key
# File lib/easyrsa/ca.rb, line 98 def sign_cert @ca_cert.sign @ca_key, OpenSSL::Digest::SHA256.new end