class EasyRSA::CA

Public Class Methods

new(ca_name=nil, bits=4096, &block) click to toggle source
# File lib/easyrsa/ca.rb, line 8
def initialize(ca_name=nil, bits=4096, &block)

# CA Name to generate cert for
  begin
    if ca_name.eql? nil
      raise EasyRSA::CA::MissingParameter,
        "Please provide a 'ca name', for the certificates' CN field. This should be in the format, 'CN=ca/DC=example/DC=com' for 'ca.example.com'"
    end
    @ca_name = OpenSSL::X509::Name.parse ca_name
  rescue TypeError => e
    fail EasyRSA::CA::InvalidCAName, 
      "Please provide a 'ca name', for the certificates' CN field. This should be in the format, 'CN=ca/DC=example/DC=com' for 'ca.example.com'"
  end

# Generate Private Key
  if bits < 2048
    raise EasyRSA::CA::BitLengthToWeak,
      "Please select a bit length greater than 2048. Default is 4096. You chose '#{bits}'"
  end      
  @ca_key = OpenSSL::PKey::RSA.new(bits)

# Instantiate a new certificate
  @ca_cert = OpenSSL::X509::Certificate.new

# This cert should never be valid before now
  @ca_cert.not_before = Time.now

# Set it to version
  @ca_cert.version = 2     

# Generate and assign the serial
  @ca_cert.serial = 0

  instance_eval(&block) if block_given?
end

Public Instance Methods

generate(validfor=10) click to toggle source
# File lib/easyrsa/ca.rb, line 44
def generate(validfor=10)
  
# Set the expiration date
  @ca_cert.not_after = EasyRSA::years_from_now(validfor)

# Add the public key
  @ca_cert.public_key = @ca_key.public_key

# Set the CA Cert Subject
  @ca_cert.subject = @ca_name

# Set the CA Cert Subject
  gen_issuer

# Add extensions
  add_extensions

# Sign the cert
  sign_cert

  { key: @ca_key.to_pem, crt: @ca_cert.to_pem }

end

Private Instance Methods

add_extensions() click to toggle source

Add Extensions needed

# File lib/easyrsa/ca.rb, line 86
def add_extensions
  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = @ca_cert
  ef.issuer_certificate = @ca_cert

  @ca_cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
  @ca_cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true)
  @ca_cert.add_extension ef.create_extension('keyUsage', 'cRLSign,keyCertSign', true)

end
gen_issuer() click to toggle source

Cert issuer details

# File lib/easyrsa/ca.rb, line 71
def gen_issuer
  name = "/C=#{EasyRSA::Config.country}"
  name += "/ST=#{EasyRSA::Config.state}" unless !EasyRSA::Config.state || EasyRSA::Config.state.empty?
  name += "/L=#{EasyRSA::Config.city}"
  name += "/O=#{EasyRSA::Config.company}"
  name += "/OU=#{EasyRSA::Config.orgunit}"
  name += "/CN=#{EasyRSA::Config.server}"
  name += "/name=#{EasyRSA::Config.name}" unless !EasyRSA::Config.name || EasyRSA::Config.name.empty?
  name += "/name=#{EasyRSA::Config.orgunit}" if !EasyRSA::Config.name || EasyRSA::Config.name.empty?
  name += "/emailAddress=#{EasyRSA::Config.email}"

  @ca_cert.issuer = OpenSSL::X509::Name.parse(name)
end
sign_cert() click to toggle source

Sign cert with CA key

# File lib/easyrsa/ca.rb, line 98
def sign_cert
  @ca_cert.sign @ca_key, OpenSSL::Digest::SHA256.new
end