r509 v0.9 is out! This version contains huge new features, bug fixes, and quite a bit of refactoring of the API in preparation for 1.0.

What is r509?

r509 is a Ruby gem built using OpenSSL that is designed to ease management of a public key infrastructure. The r509 API facilitates easy creation of CSRs, signing (and parsing!) of certificates, revocation (CRL/OCSP), and much more. Together with projects like r509-ocsp-responder and r509-ca-http it is intended to be a complete (RFC 3280/5280) certificate authority for use in production environments.

Feature Highlights

A very incomplete list of the extensive changes made from 0.8.1 to 0.9.

  • Feature: Elliptic curve (ECDSA) support! You can now generate ECDSA keys and sign certificates within the normal r509 framework. This support depends on your system having EC support enabled in OpenSSL. Red Hat distributions (Fedora, RHEL, CentOS, etc) have this disabled by default. For more details check out the CSR+key generation and private key generation docs.

  • Feature: Rewrote all extension handling to directly parse the ASN.1 structures.

  • Feature: Added support in the signer and config files for more complex certificate policy data, as well as inhibit any policy, policy constraints, and name constraints extensions.

  • Feature: Support for multiple general name types in extensions. See GeneralName.

  • Feature: Automatically generated getter/setter methods added for all registered OIDs on R509::Subject. (See docs for details)

  • Bug Fix: The r509 command line script now properly self-signs with the specified message digest in interactive mode rather than always using SHA1.

  • Bug Fix: The r509 command line scripts now load using /usr/bin/env to work properly in rvm-based environments.

  • Refactor: The R509::CRL module has been refactored. R509::CRL::Administrator has changed significantly and R509::Crl::Parser has been renamed to R509::CRL::SignedList and gained new methods.

  • Refactor: Class names have been altered to be fully capitalized if they are an acronym.

  • Support Change: Due to limitations in the elliptic curve bindings Ruby 1.8.7 is no longer a supported r509 platform. Please upgrade to 1.9.3+!


Just gem install r509 (and any of the other r509 gems you use) and you’re ready to go! sha1sums for each gem are below if you wish to verify you have an unaltered gem.

If you’d like to contribute, just click the gem name to view the source on GitHub! Contribution and feedback is always welcome.

Gem Name (with GitHub Link) Version sha1sum
r509 0.9 84606ed495d7cf70d7b968c9bd3487f2cb236d49
r509-ocsp-responder 0.3.2 8724fdcfbb7ddb54c9b9b3cd833ddb60f63e627b
r509-ca-http 0.2 a3f1095e529d1cc387934c289f3e4a9778e3d606
r509-middleware-validity 0.2.1 46025f7e4e9f2ff13c735462764a14751adc9812
r509-middleware-certwriter 0.2.1 89d4ca24c3e0191a9c696cc4b367bbf3805128d4
r509-validity-redis 0.4.1 3d8c168a8d12efe706c4cc1d0aa34e34357bf5e8

Ruby CA Tutorial

I’ve updated my how-to on building a CA with r509 to support the new version as well, so if you’re just getting started with r509 check it out!

Future Release Plans

r509 is largely feature complete. The intent is to release 1.0 in a few months when I’m comfortable with long-term support for the existing API. Releases will conform to the principles of semantic versioning.