NAME

make-x509-cert.t - Make an RSA X509 certificate using Crypt::OpenSSL::CA

DESCRIPTION

This test walks the reader through using Crypt::OpenSSL::CA to create X509 certificates using real-world cryptographic material: namely, a CA certificate and private key (both PEM-encoded), and either a PKCS#10 or a SPKAC request. The private key is password-protected.

If the VERBOSE environment variable is set, the generated certificates will be shown on standard error during the test run.

TEST DATA

CA private key and certificate

Provided by Crypt::OpenSSL::CA::Test as standards-compliant PEM strings.

Subject DN

The subject DN can be provided literally; simply be careful to the DN order. Crypt::OpenSSL::CA enjoys full UTF-8 support.

Public Key

The subject public key is taken from a PKCS#10 request with a DN that is not the same as the "Subject DN", so as to demonstrate the ability to alter the subject (like /usr/bin/openssl's -subj command line switch in openssl ca). Also demonstrated is using a SPKAC request, and an unadorned public key in PEM format.

Certificate Fields and Extensions

We use a rather Christmas-tree set of extensions to demonstrate the possibilities of the API.

The X509 version is always X509v3. The validity period (notBefore and notAfter) can be of arbitrary size, and transition from utcTime to generalizedTime is handled properly. The signature algorithm is RSA and the hash can be set to SHA1 or SHA256. OpenSSL's algorithm for RSA key fingerprints (also known as X509 KeyIDs) is used for the subject and issuer unique identifiers.

CREATING THE CERTIFICATES

We run the CA three times, once for every supported format of public key (PKCS#10, SPKAC and plain-PEM).

CHECKING THE RESULTS

The /usr/bin/openssl command is used to verify the details of the certificate. We also check that the certification chain validates OK. Both are done using "run_thru_openssl" in Crypt::OpenSSL::CA.