dubstep
February 18, 2011, 10:24am
1
Hi!
I’m using OpenSSL to generate an x.509 certificate used for document
signing using pretty much the following:
require ‘openssl’
key = OpenSSL::PKey::RSA.generate(1024)
pub = key.public_key
ca =
OpenSSL::X509::Name.parse(“/C=US/ST=Here/L=There/O=Where/CN=mycompany.com ”)
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 1
cert.subject = ca
cert.issuer = ca
cert.public_key = pub
cert.not_before = Time.now - 2460 60
cert.not_after = Time.now + 524 6060 365
puts cert.to_pem
My problem is that the certificate doesn’t contain a signature
algorithm. If I decode the certificate using
CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker I see that the certificate has signature
algorith = NULL. I would expect it to be something like
‘md5WithRSAEncryption’.
Is there anyway to get the ruby OpenSSL library to add this piece of
information?
Thanks in advance.
Christian P. wrote in post #982402:
My problem is that the certificate doesn’t contain a signature
algorithm.
Look at it using openssl x509 and it should be clear:
$ openssl x509 -in ert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: itu-t
Issuer: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
Validity
Not Before: Feb 17 12:08:37 2011 GMT
Not After : Feb 17 12:08:37 2016 GMT
Subject: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:b1:7c:3d:c1:c7:c0:14:f8:7b:d4:4d:c1:80:
0a:0a:5d:fe:d8:3c:c8:29:d0:45:5f:98:68:e7:06:
2b:00:bf:62:09:a0:52:69:c7:c4:04:69:66:54:a5:
05:bc:ac:33:b2:ea:cc:e5:e2:47:89:e6:eb:78:61:
ce:0f:83:5d:00:34:38:eb:d8:23:cd:92:33:04:7f:
e6:8c:04:2a:d4:9c:22:57:3c:92:2d:8d:7c:4b:e5:
ad:33:2b:0c:a9:c5:ed:6b:45:c8:4c:80:11:b1:77:
ca:f4:ec:71:91:31:67:9d:2b:5a:c8:b0:f3:f5:24:
40:e1:f5:ac:89:d0:50:39:c3
Exponent: 65537 (0x10001)
Signature Algorithm: itu-t
The certificate contains no signature at all - you need to (self) sign
it.
Compare it to a regular certificate and you’ll see what I mean.
On Feb 18, 2011, at 4:15 AM, Brian C. wrote:
Serial Number: 1 (0x1)
00:c4:b1:7c:3d:c1:c7:c0:14:f8:7b:d4:4d:c1:80:
The certificate contains no signature at all - you need to (self) sign
it.
which would be:
cert.sign key, OpenSSL::Digest::SHA1.new