When signing a certificate, the issuer field is currently derived from CertificateAuthority::DistingishedName. The problem is the DistingishedName will reorder the attributes (and, as you know the order of these attributes has changed between versions 0.1.6 and 0.2.0).
It is very important that a certificate's issuer field exactly match with the actual issuer. So, rather than parse it, I think it would be better to use the parent's subject field directly.
In other words, replace this:
class Certificate
def sign!
...
openssl_cert.issuer = parent.distinguished_name.to_x509_name
...
end
end
With this:
openssl_cert.issuer = parent.openssl_body.subject
I am not sure if there is a standard order for attributes or not. Regardless, I think the the certificate should probably match the parent, even if the parent has a non-standard dn.
Without some change along these lines, this gem will generate invalid certificates in many cases.
When signing a certificate, the issuer field is currently derived from CertificateAuthority::DistingishedName. The problem is the DistingishedName will reorder the attributes (and, as you know the order of these attributes has changed between versions 0.1.6 and 0.2.0).
It is very important that a certificate's issuer field exactly match with the actual issuer. So, rather than parse it, I think it would be better to use the parent's subject field directly.
In other words, replace this:
With this:
I am not sure if there is a standard order for attributes or not. Regardless, I think the the certificate should probably match the parent, even if the parent has a non-standard dn.
Without some change along these lines, this gem will generate invalid certificates in many cases.
Thanks.