OpenSSL signature method == null?

dubstep · February 18, 2011, 10:24am

Hi!

I’m using OpenSSL to generate an x.509 certificate used for document
signing using pretty much the following:

require ‘openssl’
key = OpenSSL::PKey::RSA.generate(1024)
pub = key.public_key
ca =
OpenSSL::X509::Name.parse(“/C=US/ST=Here/L=There/O=Where/CN=mycompany.com”)
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 1
cert.subject = ca
cert.issuer = ca
cert.public_key = pub
cert.not_before = Time.now - 246060
cert.not_after = Time.now + 5246060365
puts cert.to_pem

My problem is that the certificate doesn’t contain a signature
algorithm. If I decode the certificate using
CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker I see that the certificate has signature
algorith = NULL. I would expect it to be something like
‘md5WithRSAEncryption’.

Is there anyway to get the ruby OpenSSL library to add this piece of
information?

Thanks in advance.

Christian

firstpoint · February 18, 2011, 1:12pm

Christian P. wrote in post #982402:

My problem is that the certificate doesn’t contain a signature
algorithm.

Look at it using openssl x509 and it should be clear:

$ openssl x509 -in ert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: itu-t
Issuer: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
Validity
Not Before: Feb 17 12:08:37 2011 GMT
Not After : Feb 17 12:08:37 2016 GMT
Subject: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:b1:7c:3d:c1:c7:c0:14:f8:7b:d4:4d:c1:80:
0a:0a:5d:fe:d8:3c:c8:29:d0:45:5f:98:68:e7:06:
2b:00:bf:62:09:a0:52:69:c7:c4:04:69:66:54:a5:
05:bc:ac:33:b2:ea:cc:e5:e2:47:89:e6:eb:78:61:
ce:0f:83:5d:00:34:38:eb:d8:23:cd:92:33:04:7f:
e6:8c:04:2a:d4:9c:22:57:3c:92:2d:8d:7c:4b:e5:
ad:33:2b:0c:a9:c5:ed:6b:45:c8:4c:80:11:b1:77:
ca:f4:ec:71:91:31:67:9d:2b:5a:c8:b0:f3:f5:24:
40:e1:f5:ac:89:d0:50:39:c3
Exponent: 65537 (0x10001)
Signature Algorithm: itu-t

The certificate contains no signature at all - you need to (self) sign
it.

Compare it to a regular certificate and you’ll see what I mean.

firstpoint · February 18, 2011, 10:11pm

On Feb 18, 2011, at 4:15 AM, Brian C. wrote:

   Serial Number: 1 (0x1)
               00:c4:b1:7c:3d:c1:c7:c0:14:f8:7b:d4:4d:c1:80:
The certificate contains no signature at all - you need to (self) sign
it.

which would be:

cert.sign key, OpenSSL::Digest::SHA1.new