Tag Archives: openssl

r509 v0.5

Posted by on December 27, 2011 No comments

I haven’t talked about r509 here in awhile, but since v0.5 just got tagged I thought I’d plug it again. r509 is a wrapper for the OpenSSL libraries in Ruby. It’s designed to allow you to do a wide variety of certificate authority related operations (issuance, revocation, CRL generation, OCSP responses, et cetera). There are also some ancillary gems that are under active development (r509-ca-http, r509-ocsp-responder, r509-validity-redis) which will gain more documentation as these projects progress.

Check it out, file issues, fork, and contribute!

Ruby OpenSSL::X509::Name#to_a Dissection

Posted by on December 21, 2011 No comments

Over at Viking Hammer my coworker Sean Schulte has written up a great article dissecting an issue we ran into regarding the way Ruby’s OpenSSL::X509::Name#to_a currently builds its array. He discusses the problem, the two solutions we came up with, and shares code examples. Go check it out!

r509, Ruby CA

Posted by on March 31, 2011 No comments

I’ve put a new project up on Github. r509 is a CA written in Ruby which aims to do friendly wrapping around Ruby’s baroque OpenSSL bindings. It’s still in the early stages, but check it out if you’re interested and fork if you want to help it improve!

OCSP Queries Via OpenSSL

Posted by on November 20, 2010 1 comment

OpenSSL has an ocsp querying facility that can be useful if you’re testing a responder or just curious how the online certificate status protocol works. To use it:

openssl ocsp -issuer IssuingCert.txt -cert ServerCert.txt -url http://ocsp.wherever.com -CAfile CAchain.txt

Argument Breakdown

  • -issuer is the issuing CA for the certificate you want to check (called IssuingCert.txt above). This can be a self-signed root or a subroot.
  • -cert is the certificate you want to verify. If you know the serial number and don’t want to provide the cert file itself you can use -serial instead.
  • -url is the URL of the OCSP responder for your cert. You can parse the certificate to find the end point. It will be under the Authority Information Access node inside the x509 extensions
  • -CAfile is only required if you want to verify the response of the OCSP server.1 You’ll need to place the self-signed root + whatever intermediates are necessary for the OCSP signing cert from the server to chain up to it.
  • There are many other optional args, so check out the list just by typing “openssl ocsp”

OCSP Response

Here’s an example response where the certificate has been marked as revoked.

Response verify OK
ServerCert.txt: revoked
This Update: Nov 20 15:43:49 2010 GMT
Next Update: Dec  4 17:43:49 2010 GMT
Reason: unspecified
Revocation Time: Mar 31 21:37:52 2009 GMT

And one marked as acceptable.

Response verify OK
ServerCert.txt: good
This Update: Nov 20 11:20:51 2010 GMT
Next Update: Nov 27 11:20:51 2010 GMT

Responses can have several error status codes. Here’s the list of possible errors from RFC 2560.

malformedRequest      (1),  --Illegal confirmation request
internalError         (2),  --Internal error in issuer
tryLater              (3),  --Try again later
                            --(4) is not used
sigRequired           (5),  --Must sign the request
unauthorized          (6)   --Request unauthorized
  1. If you don’t want to verify, use -noverify

Parsing A CRL With OpenSSL

Posted by on January 10, 2010 No comments

Short and sweet. This command will parse and give you a list of revoked serial numbers:

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If you see —–BEGIN X509 CRL—– then it’s PEM and if you see strange binary-looking garbage characters it’s DER.

OpenSSL and IDN Certificates

Posted by on January 3, 2010 No comments

As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps:

  1. Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE).
  2. The resulting converted text will be a fairly long string that starts with “xn--”. Copy the entire thing.
  3. Now run this command.

For CSR generation1:

openssl req -new -nodes -out mycsr.csr -keyout mykey.pem -newkey rsa:2048

For self-signed certificate generation2:

openssl req -new -nodes -x509 -days 3650 -out mycert.cer -keyout mykey.pem -newkey rsa:2048

Either way, follow the prompts and when you reach Common Name paste the text you copied from the punycode converter. Now you can submit your CSR to a certification authority or install the self-signed certificate for testing.

  1. We are generating a 2048-bit CSR
  2. This will generate a 10 year self-signed certificate.