Example of using SSL: CA => CSR => Sign

2025-08-12 07:35:18 +02:00 · 2025-08-12 07:35:18 +02:00 · ca5d4c4b72
commit ca5d4c4b72
parent 78d7233ff3
3 changed files with 96 additions and 2 deletions
--- a/bin/ssl
+++ b/bin/ssl
@ -0,0 +1,93 @@
+#!/usr/bin/env ruby
+
+require "fileutils"
+require "open3"
+
+def cmd(*cmd)
+  stdout, stderr, status = Open3.capture3(*cmd)
+  unless status.success?
+    warn "Command failed: #{cmd.join(' ')}"
+    warn stderr
+    exit status.exitstatus || 1
+  end
+  stdout
+end
+
+subcommand = ARGV.shift&.to_sym
+arg1 = ARGV[0] && ARGV[0] !~ /^-/ ? ARGV.shift : nil
+arg2 = ARGV[0] && ARGV[0] !~ /^-/ ? ARGV.shift : nil
+
+$domains = ["mediacenter.lan"]
+$ips = ["192.168.0.94"]
+
+
+### Setting up for client
+$cn   = $domains.first
+name = $cn.gsub("*", "wildcard") 
+
+dir = "certs"
+FileUtils.mkdir_p(dir)
+$key = File.join(dir, "#{name}.key.pem")
+$csr = File.join(dir, "#{name}.csr.pem")
+$crt = File.join(dir, "#{name}.crt.pem")
+$ext = File.join(dir, "#{name}.ext")
+############################
+
+### Setting up for CA
+
+$ca_name = "My Lab"
+
+#############################
+
+def create_CA
+    cmd "openssl", "genrsa", "-out", "rootCA.key.pem", "4096"
+    cmd "chmod", "600", "rootCA.key.pem"
+    cmd "openssl", "req", "-x509", "-new", "-nodes", "-key",
+               "rootCA.key.pem", "-sha256", "-days", "3650",
+               "-out", "rootCA.crt.pem",
+               "-subj", "/C=XX/ST=Lab/L=Local/O=#{$ca_name}/CN=#{$ca_name} Root CA"
+end
+
+def create_CSR
+    cmd "openssl", "genrsa", "-out", $key, "2048"
+    cmd "openssl", "req", "-new", "-key", $key, "-out", $csr, "-subj", "/CN=#{$cn}/O=#{$ca_name}"
+end
+
+def create_extfile
+    ext_lines = []
+    ext_lines << "basicConstraints=CA:FALSE"
+    ext_lines << "keyUsage=digitalSignature,keyEncipherment"
+    ext_lines << "extendedKeyUsage=serverAuth"
+    ext_lines << "subjectAltName=@alt_names"
+    ext_lines << "[alt_names]"
+
+    $domains.each_with_index do |d, i|
+        ext_lines << "DNS.#{i + 1}=#{d}"
+    end
+
+    $ips.each_with_index do |ip, j|
+        ext_lines << "IP.#{j + 1}=#{ip}"
+    end
+
+    File.write($ext, ext_lines.join("\n") + "\n")
+end
+
+def sign_with_CA
+    cmd "openssl", "x509", "-req", "-in", $csr,
+        "-CA", "rootCA.crt.pem", "-CAkey", "rootCA.key.pem",
+         "-CAcreateserial", "-out", $crt, "-days", "397", "-sha256",
+        "-extfile", $ext
+
+end
+
+case subcommand
+when :ca
+    create_CA
+when :csr
+    create_CSR
+when :casign
+    create_extfile
+    sign_with_CA
+else
+    puts "no command handler"
+end
--- a/bin/vm
+++ b/bin/vm
@ -18,7 +18,8 @@ OptionParser.new do |opt|
  opt.on('--name NAME', 'Virtaul Machine name') do |name| 
    options.name = name
  end
-
+  # new from copy
+  # fetch from the server
 end.parse!


--- a/lib/virtual-machine.rb
+++ b/lib/virtual-machine.rb
@ -28,7 +28,7 @@ module VirtualMachine
        
        Downloader.get(url) do |path|
            disk_img_path = File.join(User.cache_path, "vm", distro.to_s, arch.to_s, options[:name], "root.img")
-            create_disk_image(disk_img_path, 5000)
+            create_disk_image(disk_img_path, 15000)
            
            puts path
            puts disk_img_path