OpenSSL signature method == null?

Hi!

I'm using OpenSSL to generate an x.509 certificate used for document
signing using pretty much the following:

require 'openssl'
key = OpenSSL::PKey::RSA.generate(1024)
pub = key.public_key
ca =
OpenSSL::X509::Name.parse("/C=US/ST=Here/L=There/O=Where/CN=mycompany.com")
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 1
cert.subject = ca
cert.issuer = ca
cert.public_key = pub
cert.not_before = Time.now - 24*60*60
cert.not_after = Time.now + 5*24*60*60*365
puts cert.to_pem

My problem is that the certificate doesn't contain a signature
algorithm. If I decode the certificate using
http://certlogik.com/decoder I see that the certificate has signature
algorith = NULL. I would expect it to be something like
'md5WithRSAEncryption'.

Is there anyway to get the ruby OpenSSL library to add this piece of
information?

Thanks in advance.

- Christian

···

--
Posted via http://www.ruby-forum.com/.

Christian P. wrote in post #982402:

My problem is that the certificate doesn't contain a signature
algorithm.

Look at it using openssl x509 and it should be clear:

$ openssl x509 -in ert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: itu-t
        Issuer: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
        Validity
            Not Before: Feb 17 12:08:37 2011 GMT
            Not After : Feb 17 12:08:37 2016 GMT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c4:b1:7c:3d:c1:c7:c0:14:f8:7b:d4:4d:c1:80:
                    0a:0a:5d:fe:d8:3c:c8:29:d0:45:5f:98:68:e7:06:
                    2b:00:bf:62:09:a0:52:69:c7:c4:04:69:66:54:a5:
                    05:bc:ac:33:b2:ea:cc:e5:e2:47:89:e6:eb:78:61:
                    ce:0f:83:5d:00:34:38:eb:d8:23:cd:92:33:04:7f:
                    e6:8c:04:2a:d4:9c:22:57:3c:92:2d:8d:7c:4b:e5:
                    ad:33:2b:0c:a9:c5:ed:6b:45:c8:4c:80:11:b1:77:
                    ca:f4:ec:71:91:31:67:9d:2b:5a:c8:b0:f3:f5:24:
                    40:e1:f5:ac:89:d0:50:39:c3
                Exponent: 65537 (0x10001)
    Signature Algorithm: itu-t

The certificate contains no signature at all - you need to (self) sign
it.

Compare it to a regular certificate and you'll see what I mean.

···

Subject: C=US, ST=Here, L=There, O=Where, CN=mycompany.com

--
Posted via http://www.ruby-forum.com/.

which would be:

cert.sign key, OpenSSL::Digest::SHA1.new

···

On Feb 18, 2011, at 4:15 AM, Brian Candler wrote:

Christian P. wrote in post #982402:

My problem is that the certificate doesn't contain a signature
algorithm.

Look at it using openssl x509 and it should be clear:

$ openssl x509 -in ert.pem -noout -text
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 1 (0x1)
       Signature Algorithm: itu-t
       Issuer: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
       Validity
           Not Before: Feb 17 12:08:37 2011 GMT
           Not After : Feb 17 12:08:37 2016 GMT
       Subject: C=US, ST=Here, L=There, O=Where, CN=mycompany.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:c4:b1:7c:3d:c1:c7:c0:14:f8:7b:d4:4d:c1:80:
                   0a:0a:5d:fe:d8:3c:c8:29:d0:45:5f:98:68:e7:06:
                   2b:00:bf:62:09:a0:52:69:c7:c4:04:69:66:54:a5:
                   05:bc:ac:33:b2:ea:cc:e5:e2:47:89:e6:eb:78:61:
                   ce:0f:83:5d:00:34:38:eb:d8:23:cd:92:33:04:7f:
                   e6:8c:04:2a:d4:9c:22:57:3c:92:2d:8d:7c:4b:e5:
                   ad:33:2b:0c:a9:c5:ed:6b:45:c8:4c:80:11:b1:77:
                   ca:f4:ec:71:91:31:67:9d:2b:5a:c8:b0:f3:f5:24:
                   40:e1:f5:ac:89:d0:50:39:c3
               Exponent: 65537 (0x10001)
   Signature Algorithm: itu-t

The certificate contains no signature at all - you need to (self) sign
it.