在Rails应用程序中签署新证书 [英] Sign new certificates in Rails application
问题描述
我有一个带有公共REST API的Rails应用程序,它使用SSL客户端证书验证API客户端。
I have a Rails application with a public REST API which authenticates API clients using SSL client certificates.
我希望该应用程序作为一个简单的CA。
管理员应该能够访问网站上的一个页面,并请求一个新的证书。应用程序应生成一个新的SSL证书,使用应用程序的私钥签名,并以某种形式返回给管理员用户。
I would like the app to act as a simple CA. Admin users should be able to visit a page on the site and request a new certificate. The application should generate a new SSL cert, signed with the application's private key, and return it in some form to the admin user.
管理员用户将安装此证书在客户端应用程序。这些应用程序将能够使用新的证书来访问REST API。
The admin user will then install this cert in client apps. These apps will then be able to use the new cert to access the REST API.
最简单的实现方法是什么?我知道生成和签署新证书的唯一方法是使用 openssl 命令行,在将 openssl 配置为CA (例如) )。我需要这样做,并使用Rails中的反引号与 openssl 沟通?这似乎很脆弱和脆弱。
What is the easiest way of implementing this? The only way I know of generating and signing new certs is with the openssl command line, after configuring openssl as a CA on the server (e.g. like this). Do I need to do that, and communicate with openssl using backticks inside Rails? That seems fiddly and fragile.
如何将证书退还给管理员?我可以只是把他们作为文本文件下载的证书。我已经看到了CA Web界面,允许用户从浏览器请求证书,然后直接安装证书到浏览器。管理员然后必须导出证书将其传递给客户端脚本。
How should I return the cert to admins? I could just pass them out the cert as a text file to download. I have seen CA web interfaces which allow users to request a cert from a browser, and then install the cert directly into the browser. The admins would then have to export the cert to pass it to the client scripts.
我不认为有任何种类的 acts_as_CA gem for Rails?
I don't suppose there is any kind of "acts_as_CA" gem for Rails?
[注意,我已经知道如何根据我的私钥来验证客户端请求。 ]
[Note that I already know how to authenticate client requests against my private key. This question specifically relates to issuing new certs.]
推荐答案
我现在已经开始工作了。 Ruby中的OpenSSL库具有CA工作所需的所有方法,这里有清楚的例子: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL.html
I have this working now. The OpenSSL lib in Ruby has all the methods you need for CA work, documented here with clear examples: http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL.html
我不需要在服务器上设置OpenSSL CA(在上面的问题中链接) - 这是使用命令行openssl作为CA。从Ruby使用它,您需要管理自己的CA证书存储,唯一的序列号等。
I didn't need to set up an OpenSSL CA on the server (as linked in the question above) -- that is for using command line openssl as a CA. Using it from Ruby, you need to manage your own CA cert storage, unique serial numbers etc.
如果您希望客户端证书可直接下载到浏览器, PCKS12捆绑包具有.p12文件扩展名。
请参见 http:// www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKCS12.html
为名称参数使用友好名称 - 这不会影响您的证书的DN,但它使它很容易在浏览器的选择键对话框中找到。
不要在PKCS12包中包含您的CA证书,Windows会要求用户将您的CA安装为完全受信任的根CA.
If you want the client certs to be downloadable directly to a browser, offer PCKS12 bundles with a ".p12" file extension. See http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/PKCS12.html Use a friendly name for the "name" param -- this doesn't affect the DN of your certificate, but it makes it easy to find in the browser's choose key dialog. Don't include your CA cert in the PKCS12 bundle, Windows will ask the users to install your CA as a fully trusted root CA.
这篇关于在Rails应用程序中签署新证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
