1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
#!/usr/local/lua52/bin/lua
--
-- Example self-signed X.509 certificate generation.
--
-- Skips intermediate CSR object, which is just an antiquated way for
-- specifying subject DN and public key to CAs. See API documentation for
-- CSR generation.
--
local pkey = require"openssl.pkey"
local x509 = require"openssl.x509"
local name = require"openssl.x509.name"
local altname = require"openssl.x509.altname"
-- generate our public/private key pair
--local key = pkey.new{ type = "RSA", bits = 1024 }
--local key = pkey.new{ type = "DSA", bits = 1024 }
local key = pkey.new{ type = "EC", curve = "prime192v1" }
-- our Subject and Issuer DN (self-signed, so same)
local dn = name.new()
dn:add("C", "US")
dn:add("ST", "California")
dn:add("L", "San Francisco")
dn:add("O", "Acme, Inc")
dn:add("CN", "acme.inc")
-- our Alternative Names
local alt = altname.new()
alt:add("DNS", "acme.inc")
alt:add("DNS", "*.acme.inc")
-- build our certificate
local crt = x509.new()
crt:setVersion(3)
crt:setSerial(47)
crt:setSubject(dn)
crt:setIssuer(crt:getSubject())
crt:setSubjectAlt(alt)
local issued, expires = crt:getLifetime()
crt:setLifetime(issued, expires + 60) -- good for 60 seconds
crt:setBasicConstraints{ CA = true, pathLen = 2 }
crt:setBasicConstraintsCritical(true)
crt:setPublicKey(key)
crt:sign(key)
-- pretty-print using openssl command-line utility.
io.popen("openssl x509 -text -noout", "w"):write(tostring(crt))
|
