The X509 certificate store holds trusted CA certificates used to verify peer certificates.

The easiest way to create a useful certificate store is:

cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths

This will use your system’s built-in certificates.

If your system does not have a default set of certificates you can obtain a set extracted from Mozilla CA certificate store by cURL maintainers here: curl.haxx.se/docs/caextract.html (You may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)

After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:

cert_store = OpenSSL::X509::Store.new
cert_store.add_file 'cacert.pem'

The certificate store can be used with an SSLSocket like this:

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.cert_store = cert_store

tcp_socket = TCPSocket.open 'example.com', 443

ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
Attributes

The callback for additional certificate verification. It is invoked for each untrusted certificate in the chain.

The callback is invoked with two values, a boolean that indicates if the pre-verification by OpenSSL has succeeded or not, and the StoreContext in use. The callback must return either true or false.

Read

The error code set by the last call of verify.

The description for the error code set by the last call of verify.

Read

The certificate chain constructed by the last call of verify.

Class Methods

Creates a new X509::Store.

Instance Methods

Adds the OpenSSL::X509::Certificate cert to the certificate store.

Adds the OpenSSL::X509::CRL crl to the store.

Adds the certificates in file to the certificate store. file is the path to the file, and the file contains one or more certificates in PEM format concatenated together.

Adds path as the hash dir to be looked up by the store.

Sets flags to the Store. flags consists of zero or more of the constants defined in with name V_FLAG_* or’ed together.

Sets the store’s purpose to purpose. If specified, the verifications on the store will check every untrusted certificate’s extensions are consistent with the purpose. The purpose is specified by constants:

  • X509::PURPOSE_SSL_CLIENT

  • X509::PURPOSE_SSL_SERVER

  • X509::PURPOSE_NS_SSL_SERVER

  • X509::PURPOSE_SMIME_SIGN

  • X509::PURPOSE_SMIME_ENCRYPT

  • X509::PURPOSE_CRL_SIGN

  • X509::PURPOSE_ANY

  • X509::PURPOSE_OCSP_HELPER

  • X509::PURPOSE_TIMESTAMP_SIGN

Configures store to look up CA certificates from the system default certificate store as needed basis. The location of the store can usually be determined by:

  • OpenSSL::X509::DEFAULT_CERT_FILE

  • OpenSSL::X509::DEFAULT_CERT_DIR

Sets the time to be used in verifications.

No documentation available

Performs a certificate verification on the OpenSSL::X509::Certificate cert.

chain can be an array of OpenSSL::X509::Certificate that is used to construct the certificate chain.

If a block is given, it overrides the callback set by verify_callback=.

After finishing the verification, the error information can be retrieved by error, error_string, and the resulting complete certificate chain can be retrieved by chain.

General callback for OpenSSL verify