certmaker 0.0.1

data/LICENSE

@@ -0,0 +1,23 @@
+Portions copyright (c) 2011 Declan McGrath
+Portions copyright (c) 2011 ToothSuite
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,66 @@
+# Certmaker: a gem to create and deploy SSL certificates to cloud platforms
+
+### Installation
+    gem install certmaker
+
+### Before you start
+This project is at an early stage. It is 100% usable for people who use Namecheap's Comodo PositiveSSL certs. It is particularly useful for those who then use those certs on Heroku - as this gem does the heavy lifting of bundling in keys, removing passwords and combining intermediate certifiate chains as required by Heroku. If you use something other than this configuration then we'd love to extend the role of this gem so drop us a line and we can work together to try and remove the pain of getting SSL certs setup for your application. It really shouldn't be this difficult. The main motivation behind this gem is to make the process easy to repeat - so that the next time you want to setup an SSL cert you don't have to jump through the hoops of remembering what files to combine and in what order.
+
+### Usage
+The typical usage is to create a private key locally and a CSR
+
+    certmaker create your.secure.domain
+
+You then keep the private key safe and use the CSR to request an SSL cert from your SSL Certificate provider
+
+For some platforms the cert you receive from your SSL Certificate provider is all you need to get going.
+
+For other platforms (eg. heroku) you need to do a little more, such as combining together your key, certifice, intermediate cert chain as well as removing passwords.
+
+For heroku you just save the SSL cert zip in designated directory and run the commands...
+
+    certmaker unpack_namecheap your.secure.domain
+    certmaker heroku_wizard your.secure.domain
+
+... to do all that is necessary (currently we only can vouch for this process working with namecheap.com Comodo PositiveSSL certs as it all we have tested with). This will do the necessary transformations and then prompt you to upload the finished SSL cert to your heroku app.
+
+We also provide the following commands
+
+    certmaker unpack_namecheap your.secure.domain
+    certmaker combine_key your.secure.domain # can take an optional --certfilename parameter
+    certmaker remove_passphrases your.secure.domain
+    certmaker append_chain your.secure.domain
+    certmaker check_chain your.secure.domain
+    certmaker upload_to_heroku your.secure.domain
+
+All your keys, certs and other details are stored under a .certmaker directory in your home directory. You need to have a little understanding of the directory stucture to know where to find things. Each cert you generate will live in its own directory under .certmaker/certs/
+
+For example...
+
+    /home/user/.certmaker/
+    `-- certs
+      `-- www_sample_com_ssl
+          |-- 1_my_key_and_csr
+          |   |-- www.sample.com.csr
+          |   `-- www.sample.com.key
+          |-- 2_ssl_provider_artifacts
+          |   `-- zips
+          |-- 3_key_cert_combo
+          |-- 4_key_cert_nopass
+          |-- 5_key_cert_no_pass_chained
+          `-- config.yml
+
+... your private key and CSR will be under 1_my_key_and_csr
+
+Note: The first time you run a command such as 'certmaker create your.secure.domain' for a new subdomain you will be prompted to create a config.yml file under the individual cert directory. Currently this config file is only used to supply the 'ordered_chain_filenames' setting. This allows you to define the order in which intermediate certs are chained together (yes, this all does sound unnecessarily confusing!).
+
+The 2_ssl_provider_artifacts directory is used to store the cert and other bits send on by your SSL certificate provider after you have successfully applied for a cert (zip files should be stored in the zips folder).
+
+The 3_key_cert_combo is used to store files that combine a private key and a cert. The 4_key_cert_nopass directory transforms the contents of the previous directory so that any password has been remove from the files. This is often required so that cloud servers can automatically restart your app without needing to supply a password. Finally the 5_key_cert_no_pass_chained transforms the files a little more - ultimately it contains the final version of the cert by adding the intermediate chain. So by this stage we should have our SSL cert (with the key combined, any passwords removed and the intermediate chain added). Phew!
+
+###Credits
+Thanks to the following resources which laid the the foundation for this gem
+* [Generating and adding a cert to Heroku](http://blog.dynamic50.com/2011/02/15/ssl-on-wildcard-domains-on-heroku-using-godaddy/)
+* [How to build the intermediate cert chain for a Comodo cert](http://ryan.mcgeary.org/2011/09/16/how-to-add-a-dnsimple-ssl-certificate-to-heroku/)
+* [How to verify a certificate chain file](http://backreference.org/2010/03/06/check-certificate-chain-file/)
+* [How to debug SSL](http://sysadvent.blogspot.com/2010/12/day-3-debugging-ssltls-with-openssl1.html)

data/bin/certmaker

@@ -0,0 +1,339 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'fileutils'
+require 'yaml'
+require 'getoptlong'
+
+PROGRAM_NAME = 'certmaker'
+
+opts = GetoptLong.new(
+    [ "--certfilename",  "-c",   GetoptLong::OPTIONAL_ARGUMENT ],
+    [ "--usage",         "-u",   GetoptLong::NO_ARGUMENT ],
+    [ "--version",       "-v",   GetoptLong::NO_ARGUMENT ]
+)
+
+def latest_documentation_info
+  "Please see https://github.com/theirishpenguin/certmaker\n" +
+  "for the latest instructions."
+end
+
+begin
+    opts.each do |opt, arg|
+        case opt
+            when "--certfilename"
+                 @certfilename = arg
+            when "--usage"
+                 puts "certmake command SUB_DOMAIN [--certfilename=foo.crt]\n\n" +
+                    latest_documentation_info
+                 exit 0
+            when "--version"
+                 puts "certmake v0.0.1"
+                 exit 0
+        end
+    end
+
+rescue
+    raise # TODO: Handle errors
+end
+
+@exe_filepath = File.expand_path(__FILE__)
+@command = ARGV[0]
+
+@commands = ['create', 'unpack_namecheap', 'combine_key', 'remove_passphrases', 'append_chain', 'check_chain', 'upload_to_heroku', 'heroku_wizard'] # 'assemble_chain'
+
+unless @commands.include? @command
+  puts "
+You tried to run an invalid command (#{@command}). Valid commands are:
+
+#{@commands.map{|com| "  #{PROGRAM_NAME} #{com}"}.join("\n")}
+
+#{latest_documentation_info}
+"
+  exit 1
+end
+
+@common_name = ARGV[1]
+
+if @common_name.to_s.empty?
+  puts "Please supply the exact URL you wish to generate the a cert for as a parameter"
+  exit 1
+end
+
+def underscored_name
+  @common_name.gsub('.') {'_'}
+end
+
+def init
+  @dot_dir = "#{ENV['HOME']}/.certmaker"
+  @certificates_dir = "#{@dot_dir}/certs"
+  FileUtils.mkdir_p @certificates_dir
+ 
+  @cert_dir = "#{@certificates_dir}/#{underscored_name}_ssl"
+  FileUtils.mkdir_p @cert_dir
+  FileUtils.cd @cert_dir
+
+  @config_filepath = "#{@cert_dir}/config.yml"
+end
+
+def load_config
+  if File.exist? @config_filepath
+    @config = YAML::load(File.open(@config_filepath))
+  else
+    puts "
+Please create a config file at
+#{@config_filepath}
+
+Here is a sample:
+
+#{sample_config_text}
+    "
+    exit 1
+  end
+end
+
+def sample_config_filepath
+  "#{File.dirname(@exe_filepath)}/../samples/config.yml"
+end
+
+def sample_config_text
+
+"
+# START OF CONFIG FILE
+# ---------------------------------------
+#{File.read(sample_config_filepath).chomp}
+# ---------------------------------------
+# END OF CONFIG FILE
+"
+end
+
+def create_wip_dirs
+  # Each directory is a sequential step in the obtaining of the cert
+  # Note: All directories are important, arguably dir 1 is the most important
+  # as it contains your private key (never lose this!)
+  @dir1 ="#{@cert_dir}/1_my_key_and_csr"
+  @dir2 = "#{@cert_dir}/2_ssl_provider_artifacts"
+  @dir2_zips = "#{@dir2}/zips"
+  @dir3 = "#{@cert_dir}/3_key_cert_combo"
+  @dir4 = "#{@cert_dir}/4_key_cert_nopass"
+  @dir5 = "#{@cert_dir}/5_key_cert_no_pass_chained"
+
+  [@dir1, @dir2_zips, @dir3, @dir4, @dir5].each do |dir|
+    FileUtils.mkdir_p  dir
+  end
+
+end
+
+def private_key_filepath
+  "#{@dir1}/#{@common_name}.key"
+end
+
+def private_key_nopass_filepath
+  "#{@dir4}/#{@common_name}.nopass.key"
+end
+
+def csr_filepath
+  "#{@dir1}/#{@common_name}.csr"
+end
+
+def crt_filepath
+  if @certfilename
+    "#{@dir2}/#{@certfilename}"
+  else
+    "#{@dir2}/#{underscored_name}.crt"
+  end
+end
+
+def key_cert_combo_filepath
+  "#{@dir3}/#{underscored_name}.pem"
+end
+
+def key_cert_combo_nopass_filepath
+  "#{@dir4}/#{underscored_name}.nopass.pem"
+end
+
+def key_cert_combo_nopass_chained_filepath
+  "#{@dir5}/#{underscored_name}_chained.nopass.pem"
+end
+
+def generate_private_key
+  `openssl genrsa -out #{private_key_filepath} 2048`
+end
+
+def generate_csr
+  `openssl req -new -key #{private_key_filepath} -out #{csr_filepath}`
+end
+
+def display_csr_instructions
+  puts "
+Here's an example of values for your csr when asked.
+
+  NB: Don't create a challenge passphrase or any other optional
+  fields when asked.
+
+  Country Name (2 letter code) [AU]:IE
+  State or Province Name (full name) [Some-State]:Leinster
+  Locality Name (eg, city) []:Dublin
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:EXAMPLE CORP LIMITED
+  Organizational Unit Name (eg, section) []:Engineering
+  Common Name (eg, YOUR name) []:www.example.com
+  Email Address []:support@example.com
+
+"
+end
+
+def create
+  generate_private_key
+  display_csr_instructions
+  generate_csr
+  display_make_summary
+end
+
+def continue_prompt
+  puts 'Press any key to continue or Ctrl-C to exit.'
+  dummy = STDIN.gets.chomp
+end
+
+
+def display_make_summary
+  puts "
+A private key (.key file) and a CSR (.csr file) has been generated for you.
+
+The private key file is at
+#{private_key_filepath}
+
+You need to keep the private key safe, as you cannot recover from losing it.
+
+You will now use the CSR to create your certificate, which is at
+#{csr_filepath}
+
+Visit your SSL retailers website and request, renew or reissue a SSL certificate.
+
+You will be asked for a CSR key when applying for a cert. Copy and paste the contents of the CSR file into the SSL cert application form.
+
+Notes on applying for an SSL cert
+* If you are asked to specify your webserver type and you are not sure what to say you can usually choose the most general option available (eg. other).
+* Your SSL Cert retailer will ask you to verify domain ownership of #{@common_name}
+* Your SSL Cert retailer will finally issue you the SSL certs
+* The certs make come in a zip file(s). Files with'_pkcs7' in the name are for Windows servers
+* Often, intermediate cert chains are provided as an extra with your cert. They need to be installed with your cert. The actual cert itself is usual the file with your domain name in it
+
+If you receive zip files of certs, you can download them to #{@dir2_zips} and run the command:
+
+  #{PROGRAM_NAME} unpack_namecheap #{@common_name}
+
+If your certs don't come in a zip file or your prefer to extract them manually before continuing, then you can download them to #{@dir2}
+
+Once unpacked, you now have obtained your certs. Next up you can do any of the following as needed
+
+  #{PROGRAM_NAME} heroku_wizard #{@common_name}
+  #{PROGRAM_NAME} combine_key #{@common_name}
+  #{PROGRAM_NAME} remove_passphrases #{@common_name}
+  #{PROGRAM_NAME} append_chain #{@common_name}
+  #{PROGRAM_NAME} check_chain #{@common_name}
+  #{PROGRAM_NAME} upload_to_heroku #{@common_name}
+
+"
+end
+
+def unpack_namecheap
+  # Pre-requisite
+  if `which unzip`.length == 0
+    puts "Please first install unzip (eg. on Ubuntu use 'sudo apt-get install unzip')"
+    exit 1
+  end
+
+  FileUtils.cd @dir2
+  `unzip -j zips/#{underscored_name}.zip`
+end
+
+
+def combine_private_key_and_cert
+  instruct "Combining your private key with your combined cert"
+
+  `cat #{crt_filepath} #{private_key_filepath} > #{key_cert_combo_filepath}`
+end
+
+def remove_passphrases
+  instruct "Removing passphrase"
+
+  puts `openssl rsa -in #{key_cert_combo_filepath} -out #{key_cert_combo_nopass_filepath}`
+
+  puts `openssl x509 -in #{key_cert_combo_filepath} >> #{key_cert_combo_nopass_filepath}`
+
+  puts `openssl rsa -in #{private_key_filepath} -out #{private_key_nopass_filepath}`
+end
+
+def chain_files_in_order
+  @config['ordered_chain_filenames'].map{ |filename|
+    "#{@dir2}/#{filename}"
+  }.join(' ')
+end
+
+def append_chain
+  instruct "Appending intermediate chain to cert"
+
+  `cat #{key_cert_combo_nopass_filepath} #{chain_files_in_order} > #{key_cert_combo_nopass_chained_filepath}`
+end
+
+def check_chain
+
+  # Pre-requisite
+  if `which perl`.length == 0
+    puts "Please install perl."
+    exit 1
+  end
+
+  instruct "Checking chain. The issuer of the first should be the subject of the second. And so on. Is that how the following output looks"
+
+  puts `perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' #{key_cert_combo_nopass_chained_filepath}`
+end
+
+def upload_to_heroku
+
+  puts "What is your heroku app name?"
+  app_name = STDIN.gets.chomp
+
+  cmd = "heroku ssl:add #{key_cert_combo_nopass_chained_filepath} #{private_key_nopass_filepath} --app #{app_name}"
+
+puts "
+If you want to upload the key certificate to heroku for your app, this will run the command
+
+  #{cmd}
+
+"
+
+  continue_prompt
+
+  puts `#{cmd}`
+end
+
+def instruct(instruction)
+   puts "\n#{instruction}...\n"
+end
+
+init
+load_config
+create_wip_dirs
+case @command
+when 'create'
+  create
+when 'unpack_namecheap'
+  unpack_namecheap
+when 'combine_key'
+  combine_private_key_and_cert
+when 'remove_passphrases'
+  remove_passphrases
+when 'heroku_wizard'
+  combine_private_key_and_cert
+  remove_passphrases
+  append_chain
+  upload_to_heroku
+when 'append_chain'
+  append_chain
+when 'check_chain'
+  check_chain
+when 'upload_to_heroku'
+  upload_to_heroku
+end
+

data/samples/config.yml

@@ -0,0 +1,3 @@
+ordered_chain_filenames: 
+# eg. For Namecheap
+# ordered_chain_filenames: [PositiveSSLCA.crt, UTNAddTrustServerCA.crt, AddTrustExternalCARoot.crt]

metadata

@@ -0,0 +1,57 @@
+--- !ruby/object:Gem::Specification 
+name: certmaker
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Declan McGrath
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-11-18 00:00:00 Z
+dependencies: []
+
+description: Easy way to make SSL Certs suitable for cloud platforms
+email: declan@toothsuite.com
+executables: 
+- certmaker
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- bin/certmaker
+- samples/config.yml
+- LICENSE
+- README.md
+homepage: http://rubygems.org/gems/certmaker
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: Make SSL Certs suitable for cloud platforms
+test_files: []
+