Ruby on rails open ssl

I am junior rails developer.
I have one site with Nginx certificate auth .
For generate some client certificate I run this commands on shell:

openssl genrsa -des3 -out /etc/ssl/ca/certs/users/ivan.key 1024





openssl req -new -key /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.csr



openssl x509 -req -days 1095 

 -in /etc/ssl/ca/certs/users/ivan.csr 

 -CA /etc/nginx/ssl/ca/certs/myapp.net.crt 

 -CAkey /etc/nginx/ssl/ca/private/myapp.net.key 

 -CAserial /etc/ssl/ca/serial 

 -CAcreateserial 

 -out /etc/ssl/ca/certs/users/ivan.crt



openssl pkcs12 -export -clcerts 

 -in /etc/ssl/ca/certs/users/ivan.crt 

 -inkey /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.p12

After this I have one .p12 certificate that I can install on my browser and then work with site.
So I trying to write one app with RoR for generate this clients certificates for our users.

I found that rails has Openssl gem, I've downloaded myapp.net.key and myapp.net.crt from my server to my local pc, I've puted those files on vendor folder (only for test) on my local pc.
Than I wrote this code:

# Open server CA .crt and .key

ca     = OpenSSL::X509::Certificate.new( File.read("vendor/myapp.net.crt") )

ca_key = OpenSSL::PKey::RSA.new( File.read("vendor/myapp.net.key"), 'PassPhraseForKey' )



# Create key

keypair = OpenSSL::PKey::RSA.new( 1024 )



# Create certificate

req            = OpenSSL::X509::Request.new

req.version    = 0

req.subject    = OpenSSL::X509::Name.parse(

    "/C=IT/ST=Moscow/L=Moscow/O=Test ltd./OU=Test ltd./CN=myapp.net/emailAddress=my@email.net"

)

req.public_key = keypair.public_key

req.sign( keypair, OpenSSL::Digest::SHA1.new )



cert            = OpenSSL::X509::Certificate.new

cert.version    = 2

cert.serial     = rand( 999999 ) # but on serial file on my server serial is - "D9FD16BA10" - **May be problem is here?**

cert.not_before = Time.now

cert.not_after  = cert.not_before + 1 * 365 * 24 * 60 * 60

cert.public_key = req.public_key

cert.subject    = req.subject

cert.issuer     = ca.subject



ef = OpenSSL::X509::ExtensionFactory.new

ef.subject_certificate = cert

ef.issuer_certificate  = ca

cert.sign( ca_key, OpenSSL::Digest::SHA1.new )



# Generate .p12 certificate for browser

File.open('vendor/client.crt', 'w') { |file| file.write(cert) }

p12 = OpenSSL::PKCS12.create("PassPhrase", "test", keypair.public_key, cert)

File.open('vendor/client.p12', 'w') { |file| file.write(p12.certificate) }

When my script finish to work, I have client.p12 certificate, but if I try to access on site with this certificate - I have 400 Bad request error

Nginx reject this certificate.

What I do wrong?
Thanks

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

add a comment |

I am junior rails developer.
I have one site with Nginx certificate auth .
For generate some client certificate I run this commands on shell:

openssl genrsa -des3 -out /etc/ssl/ca/certs/users/ivan.key 1024





openssl req -new -key /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.csr



openssl x509 -req -days 1095 

 -in /etc/ssl/ca/certs/users/ivan.csr 

 -CA /etc/nginx/ssl/ca/certs/myapp.net.crt 

 -CAkey /etc/nginx/ssl/ca/private/myapp.net.key 

 -CAserial /etc/ssl/ca/serial 

 -CAcreateserial 

 -out /etc/ssl/ca/certs/users/ivan.crt



openssl pkcs12 -export -clcerts 

 -in /etc/ssl/ca/certs/users/ivan.crt 

 -inkey /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.p12

After this I have one .p12 certificate that I can install on my browser and then work with site.
So I trying to write one app with RoR for generate this clients certificates for our users.

# Open server CA .crt and .key

ca     = OpenSSL::X509::Certificate.new( File.read("vendor/myapp.net.crt") )

ca_key = OpenSSL::PKey::RSA.new( File.read("vendor/myapp.net.key"), 'PassPhraseForKey' )



# Create key

keypair = OpenSSL::PKey::RSA.new( 1024 )



# Create certificate

req            = OpenSSL::X509::Request.new

req.version    = 0

req.subject    = OpenSSL::X509::Name.parse(

    "/C=IT/ST=Moscow/L=Moscow/O=Test ltd./OU=Test ltd./CN=myapp.net/emailAddress=my@email.net"

)

req.public_key = keypair.public_key

req.sign( keypair, OpenSSL::Digest::SHA1.new )



cert            = OpenSSL::X509::Certificate.new

cert.version    = 2

cert.serial     = rand( 999999 ) # but on serial file on my server serial is - "D9FD16BA10" - **May be problem is here?**

cert.not_before = Time.now

cert.not_after  = cert.not_before + 1 * 365 * 24 * 60 * 60

cert.public_key = req.public_key

cert.subject    = req.subject

cert.issuer     = ca.subject



ef = OpenSSL::X509::ExtensionFactory.new

ef.subject_certificate = cert

ef.issuer_certificate  = ca

cert.sign( ca_key, OpenSSL::Digest::SHA1.new )



# Generate .p12 certificate for browser

File.open('vendor/client.crt', 'w') { |file| file.write(cert) }

p12 = OpenSSL::PKCS12.create("PassPhrase", "test", keypair.public_key, cert)

File.open('vendor/client.p12', 'w') { |file| file.write(p12.certificate) }

When my script finish to work, I have client.p12 certificate, but if I try to access on site with this certificate - I have 400 Bad request error

Nginx reject this certificate.

What I do wrong?
Thanks

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

add a comment |

I am junior rails developer.
I have one site with Nginx certificate auth .
For generate some client certificate I run this commands on shell:

openssl genrsa -des3 -out /etc/ssl/ca/certs/users/ivan.key 1024





openssl req -new -key /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.csr



openssl x509 -req -days 1095 

 -in /etc/ssl/ca/certs/users/ivan.csr 

 -CA /etc/nginx/ssl/ca/certs/myapp.net.crt 

 -CAkey /etc/nginx/ssl/ca/private/myapp.net.key 

 -CAserial /etc/ssl/ca/serial 

 -CAcreateserial 

 -out /etc/ssl/ca/certs/users/ivan.crt



openssl pkcs12 -export -clcerts 

 -in /etc/ssl/ca/certs/users/ivan.crt 

 -inkey /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.p12

After this I have one .p12 certificate that I can install on my browser and then work with site.
So I trying to write one app with RoR for generate this clients certificates for our users.

# Open server CA .crt and .key

ca     = OpenSSL::X509::Certificate.new( File.read("vendor/myapp.net.crt") )

ca_key = OpenSSL::PKey::RSA.new( File.read("vendor/myapp.net.key"), 'PassPhraseForKey' )



# Create key

keypair = OpenSSL::PKey::RSA.new( 1024 )



# Create certificate

req            = OpenSSL::X509::Request.new

req.version    = 0

req.subject    = OpenSSL::X509::Name.parse(

    "/C=IT/ST=Moscow/L=Moscow/O=Test ltd./OU=Test ltd./CN=myapp.net/emailAddress=my@email.net"

)

req.public_key = keypair.public_key

req.sign( keypair, OpenSSL::Digest::SHA1.new )



cert            = OpenSSL::X509::Certificate.new

cert.version    = 2

cert.serial     = rand( 999999 ) # but on serial file on my server serial is - "D9FD16BA10" - **May be problem is here?**

cert.not_before = Time.now

cert.not_after  = cert.not_before + 1 * 365 * 24 * 60 * 60

cert.public_key = req.public_key

cert.subject    = req.subject

cert.issuer     = ca.subject



ef = OpenSSL::X509::ExtensionFactory.new

ef.subject_certificate = cert

ef.issuer_certificate  = ca

cert.sign( ca_key, OpenSSL::Digest::SHA1.new )



# Generate .p12 certificate for browser

File.open('vendor/client.crt', 'w') { |file| file.write(cert) }

p12 = OpenSSL::PKCS12.create("PassPhrase", "test", keypair.public_key, cert)

File.open('vendor/client.p12', 'w') { |file| file.write(p12.certificate) }

When my script finish to work, I have client.p12 certificate, but if I try to access on site with this certificate - I have 400 Bad request error

Nginx reject this certificate.

What I do wrong?
Thanks

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

I am junior rails developer.
I have one site with Nginx certificate auth .
For generate some client certificate I run this commands on shell:

openssl genrsa -des3 -out /etc/ssl/ca/certs/users/ivan.key 1024





openssl req -new -key /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.csr



openssl x509 -req -days 1095 

 -in /etc/ssl/ca/certs/users/ivan.csr 

 -CA /etc/nginx/ssl/ca/certs/myapp.net.crt 

 -CAkey /etc/nginx/ssl/ca/private/myapp.net.key 

 -CAserial /etc/ssl/ca/serial 

 -CAcreateserial 

 -out /etc/ssl/ca/certs/users/ivan.crt



openssl pkcs12 -export -clcerts 

 -in /etc/ssl/ca/certs/users/ivan.crt 

 -inkey /etc/ssl/ca/certs/users/ivan.key 

 -out /etc/ssl/ca/certs/users/ivan.p12

After this I have one .p12 certificate that I can install on my browser and then work with site.
So I trying to write one app with RoR for generate this clients certificates for our users.

# Open server CA .crt and .key

ca     = OpenSSL::X509::Certificate.new( File.read("vendor/myapp.net.crt") )

ca_key = OpenSSL::PKey::RSA.new( File.read("vendor/myapp.net.key"), 'PassPhraseForKey' )



# Create key

keypair = OpenSSL::PKey::RSA.new( 1024 )



# Create certificate

req            = OpenSSL::X509::Request.new

req.version    = 0

req.subject    = OpenSSL::X509::Name.parse(

    "/C=IT/ST=Moscow/L=Moscow/O=Test ltd./OU=Test ltd./CN=myapp.net/emailAddress=my@email.net"

)

req.public_key = keypair.public_key

req.sign( keypair, OpenSSL::Digest::SHA1.new )



cert            = OpenSSL::X509::Certificate.new

cert.version    = 2

cert.serial     = rand( 999999 ) # but on serial file on my server serial is - "D9FD16BA10" - **May be problem is here?**

cert.not_before = Time.now

cert.not_after  = cert.not_before + 1 * 365 * 24 * 60 * 60

cert.public_key = req.public_key

cert.subject    = req.subject

cert.issuer     = ca.subject



ef = OpenSSL::X509::ExtensionFactory.new

ef.subject_certificate = cert

ef.issuer_certificate  = ca

cert.sign( ca_key, OpenSSL::Digest::SHA1.new )



# Generate .p12 certificate for browser

File.open('vendor/client.crt', 'w') { |file| file.write(cert) }

p12 = OpenSSL::PKCS12.create("PassPhrase", "test", keypair.public_key, cert)

File.open('vendor/client.p12', 'w') { |file| file.write(p12.certificate) }

When my script finish to work, I have client.p12 certificate, but if I try to access on site with this certificate - I have 400 Bad request error

Nginx reject this certificate.

What I do wrong?
Thanks

ruby-on-rails ruby nginx openssl

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

asked Nov 22 '18 at 9:28

Boris Kuzevanov

5731717

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53427665%2fruby-on-rails-open-ssl%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

Search This Blog

Ufyukyu