Generates a new random private and public key.
See also the OpenSSL documentation for EC_KEY_generate_key()
ec = OpenSSL::PKey::EC.new("prime256v1") p ec.private_key # => nil ec.generate_key! p ec.private_key # => #<OpenSSL::BN XXXXXX>
Encrypt string with the private key. padding defaults to PKCS1_PADDING, which is known to be insecure but is kept for backwards compatibility. The encrypted string output can be decrypted using public_decrypt.
Deprecated in version 3.0. Consider using PKey::PKey#sign_raw and PKey::PKey#verify_raw, and PKey::PKey#verify_recover instead.
Decrypt string, which has been encrypted with the public key, with the private key. padding defaults to PKCS1_PADDING, which is known to be insecure but is kept for backwards compatibility.
Deprecated in version 3.0. Consider using PKey::PKey#encrypt and PKey::PKey#decrypt instead.
Adds a certificate to the context. pkey must be a corresponding private key with certificate.
Multiple certificates with different public key type can be added by repeated calls of this method, and OpenSSL will choose the most appropriate certificate during the handshake.
cert=, key=, and extra_chain_cert= are old accessor methods for setting certificate and internally call this method.
A certificate. An instance of OpenSSL::X509::Certificate.
The private key for certificate. An instance of OpenSSL::PKey::PKey.
Optional. An array of OpenSSL::X509::Certificate. When sending a certificate chain, the certificates specified by this are sent following certificate, in the order in the array.
rsa_cert = OpenSSL::X509::Certificate.new(...) rsa_pkey = OpenSSL::PKey.read(...) ca_intermediate_cert = OpenSSL::X509::Certificate.new(...) ctx.add_certificate(rsa_cert, rsa_pkey, [ca_intermediate_cert]) ecdsa_cert = ... ecdsa_pkey = ... another_ca_cert = ... ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])
Returns the last Finished message sent
Creates a new X509::Extension with passed values. See also x509v3_config(5).
Parses the UTF-8 string representation of a distinguished name, according to RFC 2253.
See also to_utf8 for the opposite operation.
Parses the string representation of a distinguished name. Two different forms are supported:
OpenSSL format (X509_NAME_oneline()) used by #to_s. For example: /DC=com/DC=example/CN=nobody
OpenSSL format (X509_NAME_print()) used by #to_s(OpenSSL::X509::Name::COMPAT). For example: DC=com, DC=example, CN=nobody
Neither of them is standardized and has quirks and inconsistencies in handling of escaped characters or multi-valued RDNs.
Use of this method is discouraged in new applications. See Name.parse_rfc2253 and to_utf8 for the alternative.
Returns the depth of the chain. This is used in combination with error.
See also the man page X509_STORE_CTX_get_error_depth(3).
Returns a status string for the response.
Adds a certificate status for certificate_id. status is the status, and must be one of these:
OpenSSL::OCSP::V_CERTSTATUS_GOOD
OpenSSL::OCSP::V_CERTSTATUS_REVOKED
OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
reason and revocation_time can be given only when status is OpenSSL::OCSP::V_CERTSTATUS_REVOKED. reason describes the reason for the revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants. revocation_time is the time when the certificate is revoked.
this_update and next_update indicate the time at which the status is verified to be correct and the time at or before which newer information will be available, respectively. next_update is optional.
extensions is an Array of OpenSSL::X509::Extension to be included in the SingleResponse. This is also optional.
Note that the times, revocation_time, this_update and next_update can be specified in either of Integer or Time object. If they are Integer, it is treated as the relative seconds from the current time.
Returns the status of the certificate identified by the certid. The return value may be one of these constant:
V_CERTSTATUS_GOOD
V_CERTSTATUS_REVOKED
V_CERTSTATUS_UNKNOWN
When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by revocation_time.
Returns the ln (long name) of the hash algorithm used to generate the issuerNameHash and the issuerKeyHash values.
In cases of failure this field may contain an array of strings further describing the origin of the failure.