r509 (Ruby Certificate Authority API) v0.10.0 Released
r509 v0.10.0 is out! Huge improvements and unfortunately several breaking changes (mostly to YAML) to accommodate them.
What is r509?
r509 is a Ruby gem built using OpenSSL that simplifies management of a public key infrastructure. The r509 API helps with CSR creation, signing/parsing of certificates, revocation (CRL/OCSP), and much more. Along with projects like r509-ocsp-responder & r509-ca-http it is a (RFC 5280) certificate authority suitable for production environments.
Incomplete Feature Highlights
- Feature: You can now define a list of allowed_mds for each certificate profile.
- Refactor: CAProfile is now known as CertProfile.
- Refactor: message_digest in CAConfig renamed to default_md and moved into CertProfile
- Refactor: Moved default_md, ocsp_location, ca_issuers_location, and cdp_location into CertProfile from CAConfig. This changes the YAML.
- Refactor: Substantial changes to the YAML config structure.
- Feature: Extensions can now be directly created via the R509::Cert::Extensions::* classes. These extensions can also generate the YAML required to build them.
- Refactor: R509::CertificateAuthority::Signer refactored to be more generic. Creation of R509::CertificateAuthority::OptionsBuilder to build the options to issue a certificate from a CAConfig+CertProfile.
- Feature: R509::CertificateAuthority::Signer#sign and .selfsign now allow arbitrary extensions to be passed.
- Feature: SubjectItemPolicy now supports "match" in addition to required/optional. This necessitates a YAML/argument change.
- Refactor: R509::CRL::Administrator has been rebuilt to support alternate message digests, CRL signing delegation, and a host of other improvements.
- Feature: R509::CSR.new now allows an R509::ASN1::GeneralNames object for :san_names to allow better control over types.
- Default Change: Subject key identifier and basic constraints are now added to self-signed certificates by default (although this can be overridden).
- Feature: Load OID mappings from YAML with R509::OIDMapper.registerfromyaml
- Feature: last_update/next_update are now configurable when calling R509::CRL::Administrator#generate_crl
Refactor: :type key in the PrivateKey and CSR constructor now takes a string (RSA/DSA/EC) rather than a symbol. This was done to improve consistency (keys should be symbols, values should be strings).
...and much, much more. View the documentation for further assistance or join #r509 on Freenode IRC.
Just gem install r509 (and any of the other r509 gems you use) and you're ready to go! sha1sums for each gem are below if you wish to verify you have an unaltered gem.
If you'd like to contribute, just click the gem name to view the source on GitHub! Contribution and feedback is always welcome.
|Gem Name (with GitHub Link)||Version||sha1sum|
Ruby CA Tutorial
I've updated my how-to on building a CA with r509 to support the new version as well, so if you're just getting started with r509 check it out!
Future Release Plans
Current intent is to release a 0.11 with a few more API changes, then 1.0 in a few months when I'm comfortable with long-term support for the existing API. Releases at that point will conform to the principles of semantic versioning.