cert-auth 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- data/bin/cert-auth +10 -0
- data/lib/cert_auth.rb +85 -0
- data/lib/cert_auth/server.rb +57 -0
- data/public/static/style.css +45 -0
- data/public/views/done.haml +4 -0
- data/public/views/index.haml +25 -0
- data/public/views/layout.haml +9 -0
- data/public/views/new.haml +9 -0
- data/public/views/preview.haml +17 -0
- data/public/views/view_certificate.haml +6 -0
- data/scripts/init-ca.rb +58 -0
- data/scripts/openssl.example.conf +313 -0
- metadata +108 -0
data/bin/cert-auth
ADDED
data/lib/cert_auth.rb
ADDED
@@ -0,0 +1,85 @@
|
|
1
|
+
require "rubygems"
|
2
|
+
require "sinatra"
|
3
|
+
require "haml"
|
4
|
+
|
5
|
+
module CertAuth
|
6
|
+
class << self
|
7
|
+
|
8
|
+
## Return the root to the certificate authority
|
9
|
+
attr_accessor :ca_root
|
10
|
+
|
11
|
+
## Return the full path to the public folder for the
|
12
|
+
## certificate authority.
|
13
|
+
def public_root
|
14
|
+
File.expand_path("../../public", __FILE__)
|
15
|
+
end
|
16
|
+
|
17
|
+
## Return the CA Root
|
18
|
+
def ca_root
|
19
|
+
@ca_root || File.expand_path("../../exampleCA", __FILE__)
|
20
|
+
end
|
21
|
+
|
22
|
+
## Return an array of all keys on this certificate authority. This information
|
23
|
+
## is taken from the index.txt file.
|
24
|
+
def keys
|
25
|
+
raw = File.read(File.join(ca_root, 'index.txt')).split(/\n/)
|
26
|
+
keys = Array.new
|
27
|
+
for key in raw
|
28
|
+
type, expiry_date, revoke_date, serial, filename, subject = key.split(/\t/)
|
29
|
+
keys << {:type => type, :expiry_date => expiry_date.to_i, :revoke_date => revoke_date.to_i, :serial => serial, :subject => subject}
|
30
|
+
end
|
31
|
+
keys
|
32
|
+
end
|
33
|
+
|
34
|
+
## Return the contents for a certificate
|
35
|
+
def certificate(serial)
|
36
|
+
path = File.join(ca_root, 'newcerts', "#{serial}.pem")
|
37
|
+
if File.exist?(path)
|
38
|
+
File.read(path)
|
39
|
+
else
|
40
|
+
false
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
## Return the certificate for the CA
|
45
|
+
def ca_certificate
|
46
|
+
File.read(File.join(ca_root, 'certs', 'ca.crt'))
|
47
|
+
end
|
48
|
+
|
49
|
+
## Save a new CSR file to the local machine and return the properties
|
50
|
+
def save_csr(contents)
|
51
|
+
FileUtils.mkdir_p(File.join(ca_root, 'csrs'))
|
52
|
+
key = Digest::SHA1.hexdigest([contents, Time.now.to_i].join)
|
53
|
+
File.open(File.join(ca_root, 'csrs', key), 'w') { |f| f.write(contents) }
|
54
|
+
key
|
55
|
+
end
|
56
|
+
|
57
|
+
## Return CSR information
|
58
|
+
def view_csr(key)
|
59
|
+
path = File.join(ca_root, 'csrs', key)
|
60
|
+
if File.exist?(path)
|
61
|
+
output = `openssl req -noout -text -in #{path}`
|
62
|
+
$?.success? ? output : false
|
63
|
+
else
|
64
|
+
false
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
## Sign a certificate and return the serial number
|
69
|
+
def sign(csr_key, passphrase)
|
70
|
+
csr_path = File.join(ca_root, 'csrs', csr_key)
|
71
|
+
if File.exist?(csr_path)
|
72
|
+
output = `cd #{ca_root} && openssl ca -passin pass:#{passphrase} -batch -config openssl.conf -policy policy_anything -infiles #{csr_path} 2>&1`
|
73
|
+
if $?.success?
|
74
|
+
[true, output]
|
75
|
+
else
|
76
|
+
[false, output]
|
77
|
+
end
|
78
|
+
else
|
79
|
+
false
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
|
84
|
+
end
|
85
|
+
end
|
@@ -0,0 +1,57 @@
|
|
1
|
+
require 'cert_auth'
|
2
|
+
require 'sinatra/base'
|
3
|
+
require 'haml'
|
4
|
+
|
5
|
+
module CertAuth
|
6
|
+
class Server < Sinatra::Base
|
7
|
+
|
8
|
+
set :public, File.join(CertAuth.public_root, 'static')
|
9
|
+
set :views, File.join(CertAuth.public_root, 'views')
|
10
|
+
set :static, true
|
11
|
+
|
12
|
+
## Generic view with a list of all signed certificates.
|
13
|
+
get '/' do
|
14
|
+
@certificates = CertAuth.keys
|
15
|
+
haml :index
|
16
|
+
end
|
17
|
+
|
18
|
+
## Return the certificate
|
19
|
+
get '/certificate' do
|
20
|
+
@certificate = CertAuth.ca_certificate
|
21
|
+
haml :view_certificate
|
22
|
+
end
|
23
|
+
|
24
|
+
## Return the certificate contents for a provided serial
|
25
|
+
get '/certificate/:serial' do
|
26
|
+
@certificate = CertAuth.certificate(params[:serial])
|
27
|
+
haml :view_certificate
|
28
|
+
end
|
29
|
+
|
30
|
+
## Accept a new CSR for upload do
|
31
|
+
get '/new' do
|
32
|
+
haml :new
|
33
|
+
end
|
34
|
+
|
35
|
+
## Save a CSR to the system and return the properties ready for signing
|
36
|
+
post '/new' do
|
37
|
+
@csr_key = CertAuth.save_csr(params[:csr])
|
38
|
+
if @csr_details = CertAuth.view_csr(@csr_key)
|
39
|
+
haml :preview
|
40
|
+
else
|
41
|
+
redirect "/new"
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
post '/sign/:csr_key' do
|
46
|
+
@csr_key = params[:csr_key]
|
47
|
+
status, @output = CertAuth.sign(@csr_key, params[:passphrase])
|
48
|
+
if status
|
49
|
+
haml :done
|
50
|
+
else
|
51
|
+
@csr_details = CertAuth.view_csr(@csr_key)
|
52
|
+
haml :preview
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
html { color: #000; background: #FFF; }
|
2
|
+
body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td { margin: 0; padding: 0; }
|
3
|
+
li { list-style: none; }
|
4
|
+
h1, h2, h3, h4, h5, h6 { font-size: 100%; font-weight: normal; }
|
5
|
+
pre, form { font-style: normal; font-weight: normal; }
|
6
|
+
fieldset { border: 0; }
|
7
|
+
legend { color: #000; }
|
8
|
+
input, textarea { margin: 0; padding: 0; font-family: inherit; font-size: inherit; font-weight: inherit; *font-size: 100%; }
|
9
|
+
p, blockquote { margin: 0; padding: 0; }
|
10
|
+
th { margin: 0; padding: 0; font-style: normal; font-weight: normal; text-align: left; }
|
11
|
+
table { border-collapse: collapse; border-spacing: 0; }
|
12
|
+
img { border: 0; }
|
13
|
+
address { font-style: normal; font-weight: normal; }
|
14
|
+
caption { font-style: normal; font-weight: normal; text-align: left; }
|
15
|
+
cite, dfn, em, strong, var { font-style: normal; font-weight: normal; }
|
16
|
+
q:before, q:after { content: ''; }
|
17
|
+
abbr, acronym { border: 0; font-variant: normal; }
|
18
|
+
sup { vertical-align: text-top; }
|
19
|
+
sub { vertical-align: text-bottom; }
|
20
|
+
select { font-family: inherit; font-size: inherit; font-weight: inherit; *font-size: 100%; }
|
21
|
+
|
22
|
+
.hidden { display:none !important;}
|
23
|
+
div.field_with_errors { display:inline !important;}
|
24
|
+
|
25
|
+
/* disable safari input highlighting - we don't like this */
|
26
|
+
input, textarea, div.editable {outline-style:none;outline-width:0px;}
|
27
|
+
a:active { outline: none;}
|
28
|
+
|
29
|
+
html { font-size:12px; font-family:"Helvetica Neue", Arial, sans-serif; background-color:#ccc;}
|
30
|
+
body { -webkit-font-smoothing: antialiased; }
|
31
|
+
#content { background:#fff; width:70%; margin:25px auto; padding:40px;}
|
32
|
+
#content h3 { font-weight:bold; font-size:200%; margin-bottom:10px;}
|
33
|
+
#content table { width:100%;}
|
34
|
+
#content table td { border:1px solid #ccc; padding:5px; }
|
35
|
+
#content table thead td { background:#efefef; font-weight:bold;}
|
36
|
+
#content a { color:#333;}
|
37
|
+
ul { margin:15px 0; margin-left:30px; line-height:1.5;}
|
38
|
+
ul li { list-style:disc;}
|
39
|
+
pre { background:#efefef; padding:10px;}
|
40
|
+
p.pp { padding:15px; margin:10px 0; background:#efefef; font-weight:bold; font-size:120%;}
|
41
|
+
p { margin:10px 0;}
|
42
|
+
.error { background:rgba(255,0,0,0.3); margin:10px 0; padding:10px;}
|
43
|
+
.error pre { background:rgba(255,0,0,0.3); margin-top:10px;}
|
44
|
+
.error h4 { font-size:120%; font-weight:bold; color:red;}
|
45
|
+
textarea { font-family:Courier, monospace;}
|
@@ -0,0 +1,25 @@
|
|
1
|
+
%h3 Certificates Issued
|
2
|
+
%table
|
3
|
+
%thead
|
4
|
+
%tr
|
5
|
+
%td Type
|
6
|
+
%td Expiry Date
|
7
|
+
%td Revoke Date
|
8
|
+
%td Serial
|
9
|
+
%td Subject
|
10
|
+
%td
|
11
|
+
%tbody
|
12
|
+
- for cert in @certificates
|
13
|
+
%tr
|
14
|
+
%td= cert[:type]
|
15
|
+
%td= cert[:expiry_date]
|
16
|
+
%td= cert[:revoke_date]
|
17
|
+
%td= cert[:serial]
|
18
|
+
%td= cert[:subject]
|
19
|
+
%td
|
20
|
+
%a{:href => '/certificate/' + cert[:serial]} View
|
21
|
+
%ul
|
22
|
+
%li
|
23
|
+
%a{:href => '/certificate'} View CA Certificate
|
24
|
+
%li
|
25
|
+
%a{:href => '/new'} Upload CSR for Signing
|
@@ -0,0 +1,17 @@
|
|
1
|
+
%h3 Preview CSR
|
2
|
+
%p
|
3
|
+
%a{:href => '/'} Back to certificate list
|
4
|
+
|
5
|
+
%form{:action => '/sign/' + @csr_key, :method => 'post'}
|
6
|
+
- if @output
|
7
|
+
.error
|
8
|
+
%h4 An error occurred:
|
9
|
+
%pre~ @output
|
10
|
+
|
11
|
+
%pre~ @csr_details
|
12
|
+
|
13
|
+
%p.pp
|
14
|
+
Enter the passphrase for the CA to sign this certificate:<br />
|
15
|
+
%input{:type => 'password', :name => 'passphrase'}
|
16
|
+
%input{:type => 'submit', :name => 'go', :value => "Send for signing"}
|
17
|
+
|
data/scripts/init-ca.rb
ADDED
@@ -0,0 +1,58 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
## Initialize a new CA authority root.
|
3
|
+
## Usage: init-ca.rb path/to/ca
|
4
|
+
|
5
|
+
require 'fileutils'
|
6
|
+
|
7
|
+
root = ARGV.last
|
8
|
+
|
9
|
+
if root.nil?
|
10
|
+
$stderr.puts "Pass the directory to this script to create a CA."
|
11
|
+
Process.exit(1)
|
12
|
+
end
|
13
|
+
|
14
|
+
if File.exist?(root)
|
15
|
+
$stderr.puts "A directory already exists at '#{root}'. Please delete this before continuing."
|
16
|
+
Process.exit(1)
|
17
|
+
end
|
18
|
+
begin
|
19
|
+
puts "Creating new certificate authority in '#{root}'. Please answer any questions which are asked:"
|
20
|
+
|
21
|
+
%w{ certs crl newcerts private }.each do |dir|
|
22
|
+
path = File.join(root, dir)
|
23
|
+
puts "Creating directory '#{path}'"
|
24
|
+
FileUtils.mkdir_p(path)
|
25
|
+
end
|
26
|
+
|
27
|
+
File.open(File.join(root, 'serial'), 'w') { |f| f.write('01') }
|
28
|
+
puts "Set initial serial as 01"
|
29
|
+
File.open(File.join(root, 'index.txt'), 'w') { |f| f.write('') }
|
30
|
+
puts "Added empty file to use as database"
|
31
|
+
|
32
|
+
ca_key_path = File.join(root, 'private', 'ca.key')
|
33
|
+
ca_crt_path = File.join(root, 'certs', 'ca.crt')
|
34
|
+
|
35
|
+
years = 10
|
36
|
+
days = 356 * years
|
37
|
+
|
38
|
+
puts "CA Certificate length is #{days} days (#{years} years)"
|
39
|
+
system("openssl req -new -x509 -extensions v3_ca -keyout #{ca_key_path} -out #{ca_crt_path} -days #{days}")
|
40
|
+
puts "Key & certificates generated"
|
41
|
+
|
42
|
+
raise "CA key does not exist at #{ca_key_path}" unless File.exist?(ca_key_path)
|
43
|
+
raise "CA crt does not exist at #{ca_crt_path}" unless File.exist?(ca_crt_path)
|
44
|
+
|
45
|
+
puts "Setting 0400 permission on #{ca_key_path}"
|
46
|
+
FileUtils.chmod(0400, ca_key_path)
|
47
|
+
|
48
|
+
source = File.expand_path('../openssl.example.conf', __FILE__)
|
49
|
+
FileUtils.cp(source, File.join(root, 'openssl.conf'))
|
50
|
+
|
51
|
+
puts
|
52
|
+
puts "CA has been setup successfully as #{root}. You can now start the SSL-CA webserver from this"
|
53
|
+
puts "directory to manage the CA."
|
54
|
+
|
55
|
+
rescue
|
56
|
+
puts "An error occured. The CA has been removed from #{root}. Please try again..."
|
57
|
+
FileUtils.rm_rf(root)
|
58
|
+
end
|
@@ -0,0 +1,313 @@
|
|
1
|
+
#
|
2
|
+
# OpenSSL example configuration file.
|
3
|
+
# This is mostly being used for generation of certificate requests.
|
4
|
+
#
|
5
|
+
|
6
|
+
# This definition stops the following lines choking if HOME isn't
|
7
|
+
# defined.
|
8
|
+
HOME = .
|
9
|
+
RANDFILE = $ENV::HOME/.rnd
|
10
|
+
|
11
|
+
# Extra OBJECT IDENTIFIER info:
|
12
|
+
#oid_file = $ENV::HOME/.oid
|
13
|
+
oid_section = new_oids
|
14
|
+
|
15
|
+
# To use this configuration file with the "-extfile" option of the
|
16
|
+
# "openssl x509" utility, name here the section containing the
|
17
|
+
# X.509v3 extensions to use:
|
18
|
+
# extensions =
|
19
|
+
# (Alternatively, use a configuration file that has only
|
20
|
+
# X.509v3 extensions in its main [= default] section.)
|
21
|
+
|
22
|
+
[ new_oids ]
|
23
|
+
|
24
|
+
# We can add new OIDs in here for use by 'ca' and 'req'.
|
25
|
+
# Add a simple OID like this:
|
26
|
+
# testoid1=1.2.3.4
|
27
|
+
# Or use config file substitution like this:
|
28
|
+
# testoid2=${testoid1}.5.6
|
29
|
+
|
30
|
+
####################################################################
|
31
|
+
[ ca ]
|
32
|
+
default_ca = CA_default # The default ca section
|
33
|
+
|
34
|
+
####################################################################
|
35
|
+
[ CA_default ]
|
36
|
+
|
37
|
+
dir = . # Where everything is kept
|
38
|
+
certs = $dir/certs # Where the issued certs are kept
|
39
|
+
crl_dir = $dir/crl # Where the issued crl are kept
|
40
|
+
database = $dir/index.txt # database index file.
|
41
|
+
#unique_subject = no # Set to 'no' to allow creation of
|
42
|
+
# several ctificates with same subject.
|
43
|
+
new_certs_dir = $dir/newcerts # default place for new certs.
|
44
|
+
|
45
|
+
certificate = $dir/certs/ca.crt # The CA certificate
|
46
|
+
serial = $dir/serial # The current serial number
|
47
|
+
#crlnumber = $dir/crlnumber # the current crl number
|
48
|
+
# must be commented out to leave a V1 CRL
|
49
|
+
crl = $dir/crl.pem # The current CRL
|
50
|
+
private_key = $dir/private/ca.key # The private key
|
51
|
+
RANDFILE = $dir/private/.rand # private random number file
|
52
|
+
|
53
|
+
x509_extensions = usr_cert # The extentions to add to the cert
|
54
|
+
|
55
|
+
# Comment out the following two lines for the "traditional"
|
56
|
+
# (and highly broken) format.
|
57
|
+
name_opt = ca_default # Subject Name options
|
58
|
+
cert_opt = ca_default # Certificate field options
|
59
|
+
|
60
|
+
# Extension copying option: use with caution.
|
61
|
+
# copy_extensions = copy
|
62
|
+
|
63
|
+
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
64
|
+
# so this is commented out by default to leave a V1 CRL.
|
65
|
+
# crlnumber must also be commented out to leave a V1 CRL.
|
66
|
+
# crl_extensions = crl_ext
|
67
|
+
|
68
|
+
default_days = 730 # how long to certify for
|
69
|
+
default_crl_days= 30 # how long before next CRL
|
70
|
+
default_md = sha1 # which md to use.
|
71
|
+
preserve = no # keep passed DN ordering
|
72
|
+
|
73
|
+
# A few difference way of specifying how similar the request should look
|
74
|
+
# For type CA, the listed attributes must be the same, and the optional
|
75
|
+
# and supplied fields are just that :-)
|
76
|
+
policy = policy_match
|
77
|
+
|
78
|
+
# For the CA policy
|
79
|
+
[ policy_match ]
|
80
|
+
countryName = match
|
81
|
+
stateOrProvinceName = match
|
82
|
+
organizationName = match
|
83
|
+
organizationalUnitName = optional
|
84
|
+
commonName = supplied
|
85
|
+
emailAddress = optional
|
86
|
+
|
87
|
+
# For the 'anything' policy
|
88
|
+
# At this point in time, you must list all acceptable 'object'
|
89
|
+
# types.
|
90
|
+
[ policy_anything ]
|
91
|
+
countryName = optional
|
92
|
+
stateOrProvinceName = optional
|
93
|
+
localityName = optional
|
94
|
+
organizationName = optional
|
95
|
+
organizationalUnitName = optional
|
96
|
+
commonName = supplied
|
97
|
+
emailAddress = optional
|
98
|
+
|
99
|
+
####################################################################
|
100
|
+
[ req ]
|
101
|
+
default_bits = 2048
|
102
|
+
default_keyfile = privkey.pem
|
103
|
+
distinguished_name = req_distinguished_name
|
104
|
+
attributes = req_attributes
|
105
|
+
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
106
|
+
|
107
|
+
# Passwords for private keys if not present they will be prompted for
|
108
|
+
# input_password = secret
|
109
|
+
# output_password = secret
|
110
|
+
|
111
|
+
# This sets a mask for permitted string types. There are several options.
|
112
|
+
# default: PrintableString, T61String, BMPString.
|
113
|
+
# pkix : PrintableString, BMPString.
|
114
|
+
# utf8only: only UTF8Strings.
|
115
|
+
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
116
|
+
# MASK:XXXX a literal mask value.
|
117
|
+
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
118
|
+
# so use this option with caution!
|
119
|
+
string_mask = nombstr
|
120
|
+
|
121
|
+
# req_extensions = v3_req # The extensions to add to a certificate request
|
122
|
+
|
123
|
+
[ req_distinguished_name ]
|
124
|
+
countryName = Country Name (2 letter code)
|
125
|
+
countryName_default = AU
|
126
|
+
countryName_min = 2
|
127
|
+
countryName_max = 2
|
128
|
+
|
129
|
+
stateOrProvinceName = State or Province Name (full name)
|
130
|
+
stateOrProvinceName_default = Some-State
|
131
|
+
|
132
|
+
localityName = Locality Name (eg, city)
|
133
|
+
|
134
|
+
0.organizationName = Organization Name (eg, company)
|
135
|
+
0.organizationName_default = Internet Widgits Pty Ltd
|
136
|
+
|
137
|
+
# we can do this but it is not needed normally :-)
|
138
|
+
#1.organizationName = Second Organization Name (eg, company)
|
139
|
+
#1.organizationName_default = World Wide Web Pty Ltd
|
140
|
+
|
141
|
+
organizationalUnitName = Organizational Unit Name (eg, section)
|
142
|
+
#organizationalUnitName_default =
|
143
|
+
|
144
|
+
commonName = Common Name (eg, YOUR name)
|
145
|
+
commonName_max = 64
|
146
|
+
|
147
|
+
emailAddress = Email Address
|
148
|
+
emailAddress_max = 64
|
149
|
+
|
150
|
+
# SET-ex3 = SET extension number 3
|
151
|
+
|
152
|
+
[ req_attributes ]
|
153
|
+
challengePassword = A challenge password
|
154
|
+
challengePassword_min = 4
|
155
|
+
challengePassword_max = 20
|
156
|
+
|
157
|
+
unstructuredName = An optional company name
|
158
|
+
|
159
|
+
[ usr_cert ]
|
160
|
+
|
161
|
+
# These extensions are added when 'ca' signs a request.
|
162
|
+
|
163
|
+
# This goes against PKIX guidelines but some CAs do it and some software
|
164
|
+
# requires this to avoid interpreting an end user certificate as a CA.
|
165
|
+
|
166
|
+
basicConstraints=CA:FALSE
|
167
|
+
|
168
|
+
# Here are some examples of the usage of nsCertType. If it is omitted
|
169
|
+
# the certificate can be used for anything *except* object signing.
|
170
|
+
|
171
|
+
# This is OK for an SSL server.
|
172
|
+
# nsCertType = server
|
173
|
+
|
174
|
+
# For an object signing certificate this would be used.
|
175
|
+
# nsCertType = objsign
|
176
|
+
|
177
|
+
# For normal client use this is typical
|
178
|
+
# nsCertType = client, email
|
179
|
+
|
180
|
+
# and for everything including object signing:
|
181
|
+
# nsCertType = client, email, objsign
|
182
|
+
|
183
|
+
# This is typical in keyUsage for a client certificate.
|
184
|
+
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
185
|
+
|
186
|
+
# This will be displayed in Netscape's comment listbox.
|
187
|
+
nsComment = "OpenSSL Generated Certificate"
|
188
|
+
|
189
|
+
# PKIX recommendations harmless if included in all certificates.
|
190
|
+
subjectKeyIdentifier=hash
|
191
|
+
authorityKeyIdentifier=keyid,issuer
|
192
|
+
|
193
|
+
# This stuff is for subjectAltName and issuerAltname.
|
194
|
+
# Import the email address.
|
195
|
+
# subjectAltName=email:copy
|
196
|
+
# An alternative to produce certificates that aren't
|
197
|
+
# deprecated according to PKIX.
|
198
|
+
# subjectAltName=email:move
|
199
|
+
|
200
|
+
# Copy subject details
|
201
|
+
# issuerAltName=issuer:copy
|
202
|
+
|
203
|
+
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
204
|
+
#nsBaseUrl
|
205
|
+
#nsRevocationUrl
|
206
|
+
#nsRenewalUrl
|
207
|
+
#nsCaPolicyUrl
|
208
|
+
#nsSslServerName
|
209
|
+
|
210
|
+
[ v3_req ]
|
211
|
+
|
212
|
+
# Extensions to add to a certificate request
|
213
|
+
|
214
|
+
basicConstraints = CA:FALSE
|
215
|
+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
216
|
+
|
217
|
+
[ v3_ca ]
|
218
|
+
|
219
|
+
|
220
|
+
# Extensions for a typical CA
|
221
|
+
|
222
|
+
|
223
|
+
# PKIX recommendation.
|
224
|
+
|
225
|
+
subjectKeyIdentifier=hash
|
226
|
+
|
227
|
+
authorityKeyIdentifier=keyid:always,issuer:always
|
228
|
+
|
229
|
+
# This is what PKIX recommends but some broken software chokes on critical
|
230
|
+
# extensions.
|
231
|
+
#basicConstraints = critical,CA:true
|
232
|
+
# So we do this instead.
|
233
|
+
basicConstraints = CA:true
|
234
|
+
|
235
|
+
# Key usage: this is typical for a CA certificate. However since it will
|
236
|
+
# prevent it being used as an test self-signed certificate it is best
|
237
|
+
# left out by default.
|
238
|
+
# keyUsage = cRLSign, keyCertSign
|
239
|
+
|
240
|
+
# Some might want this also
|
241
|
+
# nsCertType = sslCA, emailCA
|
242
|
+
|
243
|
+
# Include email address in subject alt name: another PKIX recommendation
|
244
|
+
# subjectAltName=email:copy
|
245
|
+
# Copy issuer details
|
246
|
+
# issuerAltName=issuer:copy
|
247
|
+
|
248
|
+
# DER hex encoding of an extension: beware experts only!
|
249
|
+
# obj=DER:02:03
|
250
|
+
# Where 'obj' is a standard or added object
|
251
|
+
# You can even override a supported extension:
|
252
|
+
# basicConstraints= critical, DER:30:03:01:01:FF
|
253
|
+
|
254
|
+
[ crl_ext ]
|
255
|
+
|
256
|
+
# CRL extensions.
|
257
|
+
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
258
|
+
|
259
|
+
# issuerAltName=issuer:copy
|
260
|
+
authorityKeyIdentifier=keyid:always,issuer:always
|
261
|
+
|
262
|
+
[ proxy_cert_ext ]
|
263
|
+
# These extensions should be added when creating a proxy certificate
|
264
|
+
|
265
|
+
# This goes against PKIX guidelines but some CAs do it and some software
|
266
|
+
# requires this to avoid interpreting an end user certificate as a CA.
|
267
|
+
|
268
|
+
basicConstraints=CA:FALSE
|
269
|
+
|
270
|
+
# Here are some examples of the usage of nsCertType. If it is omitted
|
271
|
+
# the certificate can be used for anything *except* object signing.
|
272
|
+
|
273
|
+
# This is OK for an SSL server.
|
274
|
+
# nsCertType = server
|
275
|
+
|
276
|
+
# For an object signing certificate this would be used.
|
277
|
+
# nsCertType = objsign
|
278
|
+
|
279
|
+
# For normal client use this is typical
|
280
|
+
# nsCertType = client, email
|
281
|
+
|
282
|
+
# and for everything including object signing:
|
283
|
+
# nsCertType = client, email, objsign
|
284
|
+
|
285
|
+
# This is typical in keyUsage for a client certificate.
|
286
|
+
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
287
|
+
|
288
|
+
# This will be displayed in Netscape's comment listbox.
|
289
|
+
nsComment = "OpenSSL Generated Certificate"
|
290
|
+
|
291
|
+
# PKIX recommendations harmless if included in all certificates.
|
292
|
+
subjectKeyIdentifier=hash
|
293
|
+
authorityKeyIdentifier=keyid,issuer:always
|
294
|
+
|
295
|
+
# This stuff is for subjectAltName and issuerAltname.
|
296
|
+
# Import the email address.
|
297
|
+
# subjectAltName=email:copy
|
298
|
+
# An alternative to produce certificates that aren't
|
299
|
+
# deprecated according to PKIX.
|
300
|
+
# subjectAltName=email:move
|
301
|
+
|
302
|
+
# Copy subject details
|
303
|
+
# issuerAltName=issuer:copy
|
304
|
+
|
305
|
+
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
306
|
+
#nsBaseUrl
|
307
|
+
#nsRevocationUrl
|
308
|
+
#nsRenewalUrl
|
309
|
+
#nsCaPolicyUrl
|
310
|
+
#nsSslServerName
|
311
|
+
|
312
|
+
# This really needs to be in place for it to be a proxy certificate.
|
313
|
+
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
metadata
ADDED
@@ -0,0 +1,108 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: cert-auth
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
prerelease: false
|
5
|
+
segments:
|
6
|
+
- 1
|
7
|
+
- 0
|
8
|
+
- 0
|
9
|
+
version: 1.0.0
|
10
|
+
platform: ruby
|
11
|
+
authors:
|
12
|
+
- Adam Cooke
|
13
|
+
autorequire:
|
14
|
+
bindir: bin
|
15
|
+
cert_chain: []
|
16
|
+
|
17
|
+
date: 2011-02-13 00:00:00 +00:00
|
18
|
+
default_executable:
|
19
|
+
dependencies:
|
20
|
+
- !ruby/object:Gem::Dependency
|
21
|
+
name: sinatra
|
22
|
+
prerelease: false
|
23
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
24
|
+
requirements:
|
25
|
+
- - ">="
|
26
|
+
- !ruby/object:Gem::Version
|
27
|
+
segments:
|
28
|
+
- 0
|
29
|
+
version: "0"
|
30
|
+
type: :runtime
|
31
|
+
version_requirements: *id001
|
32
|
+
- !ruby/object:Gem::Dependency
|
33
|
+
name: haml
|
34
|
+
prerelease: false
|
35
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
36
|
+
requirements:
|
37
|
+
- - ">="
|
38
|
+
- !ruby/object:Gem::Version
|
39
|
+
segments:
|
40
|
+
- 0
|
41
|
+
version: "0"
|
42
|
+
type: :runtime
|
43
|
+
version_requirements: *id002
|
44
|
+
- !ruby/object:Gem::Dependency
|
45
|
+
name: vegas
|
46
|
+
prerelease: false
|
47
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
48
|
+
requirements:
|
49
|
+
- - ">="
|
50
|
+
- !ruby/object:Gem::Version
|
51
|
+
segments:
|
52
|
+
- 0
|
53
|
+
version: "0"
|
54
|
+
type: :runtime
|
55
|
+
version_requirements: *id003
|
56
|
+
description:
|
57
|
+
email: adam@atechmedia.com
|
58
|
+
executables:
|
59
|
+
- cert-auth
|
60
|
+
extensions: []
|
61
|
+
|
62
|
+
extra_rdoc_files: []
|
63
|
+
|
64
|
+
files:
|
65
|
+
- lib/cert_auth/server.rb
|
66
|
+
- lib/cert_auth.rb
|
67
|
+
- bin/cert-auth
|
68
|
+
- public/static/style.css
|
69
|
+
- public/views/done.haml
|
70
|
+
- public/views/index.haml
|
71
|
+
- public/views/layout.haml
|
72
|
+
- public/views/new.haml
|
73
|
+
- public/views/preview.haml
|
74
|
+
- public/views/view_certificate.haml
|
75
|
+
- scripts/init-ca.rb
|
76
|
+
- scripts/openssl.example.conf
|
77
|
+
has_rdoc: true
|
78
|
+
homepage: http://atechmedia.com
|
79
|
+
licenses: []
|
80
|
+
|
81
|
+
post_install_message:
|
82
|
+
rdoc_options: []
|
83
|
+
|
84
|
+
require_paths:
|
85
|
+
- lib
|
86
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
87
|
+
requirements:
|
88
|
+
- - ">="
|
89
|
+
- !ruby/object:Gem::Version
|
90
|
+
segments:
|
91
|
+
- 0
|
92
|
+
version: "0"
|
93
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
94
|
+
requirements:
|
95
|
+
- - ">="
|
96
|
+
- !ruby/object:Gem::Version
|
97
|
+
segments:
|
98
|
+
- 0
|
99
|
+
version: "0"
|
100
|
+
requirements: []
|
101
|
+
|
102
|
+
rubyforge_project:
|
103
|
+
rubygems_version: 1.3.6
|
104
|
+
signing_key:
|
105
|
+
specification_version: 3
|
106
|
+
summary: Web Interface for an OpenSSL Certificate Authority
|
107
|
+
test_files: []
|
108
|
+
|