Linux heracles.o2switch.net 4.18.0-553.62.1.lve.el8.x86_64 #1 SMP Mon Jul 21 17:50:35 UTC 2025 x86_64

/opt/alt/ruby21/share/ri/2.1.0/system/OpenSSL/X509/Certificate/

//opt/alt/ruby21/share/ri/2.1.0/system/OpenSSL/X509/Certificate/cdesc-Certificate.ri

U:RDoc::NormalClass[iI"Certificate:ETI"OpenSSL::X509::Certificate;TI"Object;To:RDoc::Markup::Document:@parts[o;;["o:RDoc::Markup::Paragraph;[ I"FImplementation of an X.509 certificate as specified in RFC 5280. ;TI"KProvides access to a certificate's attributes and allows certificates ;TI"Eto be read from a string, but also supports the creation of new ;TI"certificates from scratch.;To:RDoc::Markup::BlankLine�S:RDoc::Markup::Heading: leveli: textI"&Reading a certificate from a file;T@o; ;[I"ECertificate is capable of handling DER-encoded certificates and ;TI"2certificates encoded in OpenSSL's PEM format.;T@o:RDoc::Markup::Verbatim;[I"6raw = File.read "cert.cer" # DER- or PEM-encoded ;TI"6certificate = OpenSSL::X509::Certificate.new raw ;T:@format0S;;i; I"#Saving a certificate to a file;T@o; ;[I"/A certificate may be encoded in DER format;T@o;;[I"cert = ... ;TI"=File.open("cert.cer", "wb") { |f| f.print cert.to_der } ;T;0o; ;[I"or in PEM format;T@o;;[I"cert = ... ;TI"=File.open("cert.pem", "wb") { |f| f.print cert.to_pem } ;T;0o; ;[I"GX.509 certificates are associated with a private/public key pair, ;TI"Ctypically a RSA, DSA or ECC key (see also OpenSSL::PKey::RSA, ;TI"IOpenSSL::PKey::DSA and OpenSSL::PKey::EC), the public key itself is ;TI"Estored within the certificate and can be accessed in form of an ;TI"LOpenSSL::PKey. Certificates are typically used to be able to associate ;TI"Lsome form of identity with a key pair, for example web servers serving ;TI"Npages over HTTPs use certificates to authenticate themselves to the user.;T@o; ;[ I"MThe public key infrastructure (PKI) model relies on trusted certificate ;TI"Iauthorities ("root CAs") that issue these certificates, so that end ;TI"Gusers need to base their trust just on a selected few authorities ;TI"Cthat themselves again vouch for subordinate CAs issuing their ;TI"certificates to end users.;T@o; ;[I"JThe OpenSSL::X509 module provides the tools to set up an independent ;TI"HPKI, similar to scenarios where the 'openssl' command line tool is ;TI"4used for issuing certificates in a private PKI.;T@S;;i; I"ACreating a root CA certificate and an end-entity certificate;T@o; ;[I"JFirst, we need to create a "self-signed" root certificate. To do so, ;TI"Iwe need to generate a key first. Please note that the choice of "1" ;TI"Mas a serial number is considered a security flaw for real certificates. ;TI"ISecure choices are integers in the two-digit byte range and ideally ;TI"Jnot sequential but secure random numbers, steps omitted here to keep ;TI"the example concise.;T@o;;[I"Jroot_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key ;TI".root_ca = OpenSSL::X509::Certificate.new ;TI"Hroot_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate ;TI"root_ca.serial = 1 ;TI"Sroot_ca.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby CA" ;TI"Droot_ca.issuer = root_ca.subject # root CA's are "self-signed" ;TI".root_ca.public_key = root_key.public_key ;TI"#root_ca.not_before = Time.now ;TI"Xroot_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity ;TI".ef = OpenSSL::X509::ExtensionFactory.new ;TI"&ef.subject_certificate = root_ca ;TI"%ef.issuer_certificate = root_ca ;TI"Sroot_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true)) ;TI"Yroot_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true)) ;TI"Uroot_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false)) ;TI"_root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false)) ;TI"9root_ca.sign(root_key, OpenSSL::Digest::SHA256.new) ;T;0o; ;[I"MThe next step is to create the end-entity certificate using the root CA ;TI"certificate.;T@o;;[I"'key = OpenSSL::PKey::RSA.new 2048 ;TI"+cert = OpenSSL::X509::Certificate.new ;TI"cert.version = 2 ;TI"cert.serial = 2 ;TI"Ycert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby certificate" ;TI";cert.issuer = root_ca.subject # root CA is the issuer ;TI"&cert.public_key = key.public_key ;TI" cert.not_before = Time.now ;TI"Rcert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity ;TI".ef = OpenSSL::X509::ExtensionFactory.new ;TI"#ef.subject_certificate = cert ;TI"%ef.issuer_certificate = root_ca ;TI"Rcert.add_extension(ef.create_extension("keyUsage","digitalSignature", true)) ;TI"Rcert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false)) ;TI"5cert.sign(root_key, OpenSSL::Digest::SHA256.new);T;0: @fileI" ext/openssl/ossl_x509cert.c;T:0@omit_headings_from_table_of_contents_below0;0;0[�[�[�[[I" class;T[[:public[[I"new;TI" ext/openssl/ossl_x509cert.c;T[:protected[�[:private[�[I" instance;T[[;[[I"add_extension;T@
}[I"check_private_key;T@
}[I"extensions;T@
}[I"extensions=;T@
}[I"inspect;T@
}[I"issuer;T@
}[I"issuer=;T@
}[I"not_after;T@
}[I"not_after=;T@
}[I"not_before;T@
}[I"not_before=;T@
}[I"public_key;T@
}[I"public_key=;T@
}[I"serial;T@
}[I"serial=;T@
}[I" sign;T@
}[I"signature_algorithm;T@
}[I"subject;T@
}[I" subject=;T@
}[I"to_der;T@
}[I"to_pem;T@
}[I" to_s;T@
}[I"to_text;T@
}[I"verify;T@
}[I"version;T@
}[I" version=;T@
}[;[�[;[�[�[U:RDoc::Context::Section[i�0o;;[�;0;0[I"#ext/openssl/ossl_ssl_session.c;TI"OpenSSL::X509;TcRDoc::NormalModule