问题
I have a Rails application with a public REST API which authenticates API clients using SSL client certificates.
I would like the app to act as a simple CA. Admin users should be able to visit a page on the site and request a new certificate. The application should generate a new SSL cert, signed with the application's private key, and return it in some form to the admin user.
The admin user will then install this cert in client apps. These apps will then be able to use the new cert to access the REST API.
What is the easiest way of implementing this? The only way I know of generating and signing new certs is with the openssl
command line, after configuring openssl
as a CA on the server (e.g. like this). Do I need to do that, and communicate with openssl
using backticks inside Rails? That seems fiddly and fragile.
How should I return the cert to admins? I could just pass them out the cert as a text file to download. I have seen CA web interfaces which allow users to request a cert from a browser, and then install the cert directly into the browser. The admins would then have to export the cert to pass it to the client scripts.
I don't suppose there is any kind of "acts_as_CA
" gem for Rails?
[Note that I already know how to authenticate client requests against my private key. This question specifically relates to issuing new certs.]
回答1:
You might want to take a look at how we’ve done something similar in the past with a tool we call ‘Certificate Depot’.
- Blog article
- GitHub repo
回答2:
You can generate keypair using openssl gem or sshkey.
Pass out the cert as a text file or plain text
回答3:
I have this working now. The OpenSSL lib in Ruby has all the methods you need for CA work, documented here with clear examples: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL.html
I didn't need to set up an OpenSSL CA on the server (as linked in the question above) -- that is for using command line openssl as a CA. Using it from Ruby, you need to manage your own CA cert storage, unique serial numbers etc.
If you want the client certs to be downloadable directly to a browser, offer PCKS12 bundles with a ".p12" file extension. See http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKCS12.html Use a friendly name for the "name" param -- this doesn't affect the DN of your certificate, but it makes it easy to find in the browser's choose key dialog. Don't include your CA cert in the PKCS12 bundle, Windows will ask the users to install your CA as a fully trusted root CA.
来源:https://stackoverflow.com/questions/13028355/sign-new-certificates-in-rails-application