Making PKCS12 Stores in Ruby (& where's PKCS8)?

I’m fairly new to Ruby, but very comfortable with OpenSSL. I thought it
would be a good learning exercise to “require ‘openssl’” and build

I have an existing Root CA and an Intermediate CA, and I can build
appropriate certificates in Ruby. I’m failing on making a PKCS12.

I want to include a chain, so I build an Array:
chain = [root_ca, ca_ca]

Now I want to build a PKCS12 structure - but, I have two problems:

  1. I have encrypted my private key, and the ‘keyenc’ below is failing as
    not a valid PKey.
    bundle = OpenSSL::PKCS12::create(pass_phrase, “myP12”, keyenc, cert,

So I simplify it and use the non-encrypted key:
bundle = OpenSSL::PKCS12::create(pass_phrase, “”, pkey, cert)

and this can be written out with a “.to_der”, but it isn’t a valid

If I keep it PEM formatted, the whole structure looks like a ruby object
of some sort, not P12.
2) What is wrong with the output? It looks like this:

I tried passing ‘bundle’ into a ::PKCS1::new with (bundle.to_der)- but
it errors.

Also: Where where might one find a roadmap? The support for OpenSSL is
really quite good
in Ruby (ECC, e.g.), but I do need a PKCS#8 function.

I normally hate being this guy, but: my advice is don’t go down this
TLS is terrible. PKI is terrible. OpenSSL is terrible. However, these
things are all somewhat salvageable. The Ruby OpenSSL binding, on the
hand, is frozen into the standard library, a prison from which it will
never escape, and worse, you should probably abandon any plans of your
working on any other Ruby implementation than MRI provided you do get
something fixed.

I’m not doing anything with OpenSSL, but I am curious. If you don’t
recommend somebody going down this path, what’s the options?
Particularly in the case of the OP question where he obviously has done
quite a bit to try to get stuff to work.