blob: 37b12c7d50fe55597c62bab674503eb99f5573f6 (
plain) (
tree)
|
|
#!/usr/local/lua52/bin/lua
--
-- Example self-signed X.509 certificate generation.
--
-- Skips intermediate CSR object, which is just an antiquated way for
-- specifying subject DN and public key to CAs. See API documentation for
-- CSR generation.
--
local keytype = ...
local openssl = require"openssl"
local pkey = require"openssl.pkey"
local x509 = require"openssl.x509"
local name = require"openssl.x509.name"
local altname = require"openssl.x509.altname"
-- generate our public/private key pair
local function genkey(type)
type = string.upper(type or (not openssl.NO_EC and "EC") or "RSA")
if type == "RSA" then
return pkey.new{ type = "RSA", bits = 1024 }
elseif type == "DSA" then
return pkey.new{ type = "DSA", bits = 1024 }
else
return pkey.new{ type = "EC", curve = "prime192v1" }
end
end
local key = genkey(keytype)
-- our Subject and Issuer DN (self-signed, so same)
local dn = name.new()
dn:add("C", "US")
dn:add("ST", "California")
dn:add("L", "San Francisco")
dn:add("O", "Acme, Inc")
dn:add("CN", "acme.inc")
-- our Alternative Names
local alt = altname.new()
alt:add("DNS", "acme.inc")
alt:add("DNS", "*.acme.inc")
-- build our certificate
local crt = x509.new()
crt:setVersion(3)
crt:setSerial(47)
crt:setSubject(dn)
crt:setIssuer(crt:getSubject())
crt:setSubjectAlt(alt)
local issued, expires = crt:getLifetime()
crt:setLifetime(issued, expires + 60) -- good for 60 seconds
crt:setBasicConstraints{ CA = true, pathLen = 2 }
crt:setBasicConstraintsCritical(true)
crt:setPublicKey(key)
crt:sign(key)
print(crt:text())
|