Table of Contents
- Assumptions and Prerequisites
- Creating our Certificate Request
- Code for this Example
- Real World Example
After Heartbleed, I found myself in need of replacing a large number of SSL keypairs, most of which included SAN certificates. Of course, the first thing I did was try to script the process which resulted in some bashing of my head against my desk as I stumbled through the OpenSSL Ruby library.
But fret not, I’ll try to explain it as best I can and if you think I’ve made a mistake, I’m sure you will let me know in the comments below!
Assumptions and Prerequisites
I assume you are using a modern Ruby, version 2.1 or greater in this case. Though older versions may work, I have not tested any out. Let me know in the comments if you find another one works or doesn’t.
As for any gems we may need, the only one we pull in is the
Creating our Certificate Request
Including our Requirements
I may be in the minority, but I hate when I do not get the require statements I need as part of the post. Since this is my article I will do future me a favor and provide them here. You’re welcome future me.
Generating the Key Pair
Now we will generate our key pair. As you probably know, we need to provide the public key as part of our request then use the private key to sign the request.
Generate the Request
Next up we will generate our request object. To do that, we first need to create
our certificate subject as an
Now, we create our request:
Now that we have our request, we need to setup our extensions and add them to it. This is the critical piece of this post since our SAN values are one of the extensions we need to add.
To begin, I found the following to be needed for basic SSL certificates. You may find different for your needs.
Next we add our SAN extension to the request. First we need to format each SAN entry, then we’ll add them to our extension array:
Now we need to convert our array into OpenSSL attributes, and add them to our request.
Sign our Request
Finally, the very last thing we do is sign our request after we are done modifying it. If you do any other work on the request object in your own code, you need to make sure you do it before you get here.
Code for this Example
Real World Example
Remember how I needed to write a tool in the face of the Heartbleed scramble? Well you can check out how I used the above code to write a tool that grabs an existing certificate and extract the information I need to generate a new key/certificate request based on it.