U:RDoc::NormalClass[iI"Certificate:ETI"OpenSSL::X509::Certificate;TI"Object;To:RDoc::Markup::Document:@parts[o;;[ :
@fileI"$ext/openssl/lib/openssl/x509.rb;T:0@omit_headings_from_table_of_contents_below0o;;["o:RDoc::Markup::Paragraph;[	I"FImplementation of an X.509 certificate as specified in RFC 5280. ;TI"KProvides access to a certificate's attributes and allows certificates ;TI"Eto be read from a string, but also supports the creation of new ;TI"certificates from scratch.;To:RDoc::Markup::BlankLine S:RDoc::Markup::Heading:
leveli:	textI"&Reading a certificate from a file;T@o;;[I"ECertificate is capable of handling DER-encoded certificates and ;TI"2certificates encoded in OpenSSL's PEM format.;T@o:RDoc::Markup::Verbatim;[I"6raw = File.read "cert.cer" # DER- or PEM-encoded
;TI"6certificate = OpenSSL::X509::Certificate.new raw
;T:@format0S;;i;I"#Saving a certificate to a file;T@o;;[I"/A certificate may be encoded in DER format;T@o;;[I"cert = ...
;TI"=File.open("cert.cer", "wb") { |f| f.print cert.to_der }
;T;0o;;[I"or in PEM format;T@o;;[I"cert = ...
;TI"=File.open("cert.pem", "wb") { |f| f.print cert.to_pem }
;T;0o;;[I"GX.509 certificates are associated with a private/public key pair, ;TI"Ctypically a RSA, DSA or ECC key (see also OpenSSL::PKey::RSA, ;TI"IOpenSSL::PKey::DSA and OpenSSL::PKey::EC), the public key itself is ;TI"Estored within the certificate and can be accessed in form of an ;TI"LOpenSSL::PKey. Certificates are typically used to be able to associate ;TI"Lsome form of identity with a key pair, for example web servers serving ;TI"Npages over HTTPs use certificates to authenticate themselves to the user.;T@o;;[
I"MThe public key infrastructure (PKI) model relies on trusted certificate ;TI"Iauthorities ("root CAs") that issue these certificates, so that end ;TI"Gusers need to base their trust just on a selected few authorities ;TI"Cthat themselves again vouch for subordinate CAs issuing their ;TI"certificates to end users.;T@o;;[I"JThe OpenSSL::X509 module provides the tools to set up an independent ;TI"HPKI, similar to scenarios where the 'openssl' command line tool is ;TI"4used for issuing certificates in a private PKI.;T@S;;i;I"ACreating a root CA certificate and an end-entity certificate;T@o;;[I"JFirst, we need to create a "self-signed" root certificate. To do so, ;TI"Iwe need to generate a key first. Please note that the choice of "1" ;TI"Mas a serial number is considered a security flaw for real certificates. ;TI"ISecure choices are integers in the two-digit byte range and ideally ;TI"Jnot sequential but secure random numbers, steps omitted here to keep ;TI"the example concise.;T@o;;[I"Jroot_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
;TI".root_ca = OpenSSL::X509::Certificate.new
;TI"Hroot_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
;TI"root_ca.serial = 1
;TI"Sroot_ca.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby CA"
;TI"Droot_ca.issuer = root_ca.subject # root CA's are "self-signed"
;TI".root_ca.public_key = root_key.public_key
;TI"#root_ca.not_before = Time.now
;TI"Xroot_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
;TI".ef = OpenSSL::X509::ExtensionFactory.new
;TI"&ef.subject_certificate = root_ca
;TI"%ef.issuer_certificate = root_ca
;TI"Sroot_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
;TI"Yroot_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
;TI"Uroot_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
;TI"_root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
;TI"9root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
;T;0o;;[I"MThe next step is to create the end-entity certificate using the root CA ;TI"certificate.;T@o;;[I"'key = OpenSSL::PKey::RSA.new 2048
;TI"+cert = OpenSSL::X509::Certificate.new
;TI"cert.version = 2
;TI"cert.serial = 2
;TI"Ycert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby certificate"
;TI";cert.issuer = root_ca.subject # root CA is the issuer
;TI"&cert.public_key = key.public_key
;TI" cert.not_before = Time.now
;TI"Rcert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
;TI".ef = OpenSSL::X509::ExtensionFactory.new
;TI"#ef.subject_certificate = cert
;TI"%ef.issuer_certificate = root_ca
;TI"Rcert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
;TI"Rcert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
;TI"5cert.sign(root_key, OpenSSL::Digest::SHA256.new);T;0;	I" ext/openssl/ossl_x509cert.c;T;
0;	0;
0[ [ [ [[I"
class;T[[:public[[I"new;TI" ext/openssl/ossl_x509cert.c;T[:protected[ [:private[ [I"instance;T[[;[ [I"add_extension;T@�[I"check_private_key;T@�[I"extensions;T@�[I"extensions=;T@�[I"inspect;T@�[I"issuer;T@�[I"issuer=;T@�[I"not_after;T@�[I"not_after=;T@�[I"not_before;T@�[I"not_before=;T@�[I"pretty_print;FI"$ext/openssl/lib/openssl/x509.rb;T[I"public_key;T@�[I"public_key=;T@�[I"serial;T@�[I"serial=;T@�[I"	sign;T@�[I"signature_algorithm;T@�[I"subject;T@�[I"subject=;T@�[I"to_der;T@�[I"to_pem;T@�[I"	to_s;T@�[I"to_text;T@�[I"verify;T@�[I"version;T@�[I"version=;T@�[;[ [;[ [ [U:RDoc::Context::Section[i 0o;;[ ;	0;
0[@I" ext/openssl/ossl_x509attr.c;TI"OpenSSL::X509;TcRDoc::NormalModule