IO::Socket::SSL::Utils -- loading, storing, creating certificates and keys
use IO::Socket::SSL::Utils; my $cert = PEM_file2cert('cert.pem'); my $string = PEM_cert2string($cert); CERT_free($cert); my $key = KEY_create_rsa(2048); PEM_string2file($key); KEY_free($key);
This module provides various utility functions to work with certificates and private keys, shielding some of the complexity of the underlying Net::SSLeay and OpenSSL.
Functions converting between string or file and certificates and keys. They croak if the operation cannot be completed.
- PEM_file2cert(file) -> cert
- PEM_string2cert(string) -> cert
- PEM_cert2string(cert) -> string
- PEM_file2key(file) -> key
- PEM_string2key(string) -> key
- PEM_key2string(key) -> string
Functions for cleaning up. Each loaded or created cert and key must be freed to not leak memory.
KEY_create_rsa(bits) -> key
Creates an RSA key pair, bits defaults to 2048.
CERT_asHash(cert) -> hash
Extracts the information from the certificate into a hash:
The serial number
Certificate version, usually 2 (x509v3)
Hash with the parts of the subject, e.g. commonName, countryName, organizationName, stateOrProvinceName, localityName.
Array with list of alternative names. Each entry in the list is of
typecan be OTHERNAME, EMAIL, DNS, X400, DIRNAME, EDIPARTY, URI, IP or RID.
- not_before, not_after
The time frame, where the certificate is valid, as time_t, e.g. can be converted with localtime or similar functions.
CERT_create(hash) -> (cert,key)
Creates a certificate based on the given hash. If the issuer is not specified the certificate will be self-signed. Additionally to the information described in
CERT_asHashthe following keys can be given:
- CA true|false
if true declare certificate as CA, defaults to false
- key key
use given key as key for certificate, otherwise a new one will be generated and returned
- issuer_cert cert
set issuer for new certificate
- issuer_key key
sign new certificate with given key
- issuer [ cert, key ]
Instead of giving issuer_key and issuer_cert as seperate arguments they can be given both together.
- digest algorithm
specify the algorithm used to sign the certificate, default SHA-256.
If not all necessary information are given some will have usable defaults, e.g.
- not_before defaults to the current time
- not_after defaults to 365 days in the future
- subject has a default pointing to IO::Socket::SSL
- version defaults to 2 (x509v3)
- serial will be a random number