Skip to content

create_certs.sh: Unify RSA and ML-DSA-65 SSL cert generation#9678

Open
junaruga wants to merge 2 commits into
ruby:masterfrom
junaruga:wip/refactor-create_certs-sh
Open

create_certs.sh: Unify RSA and ML-DSA-65 SSL cert generation#9678
junaruga wants to merge 2 commits into
ruby:masterfrom
junaruga:wip/refactor-create_certs-sh

Conversation

@junaruga

@junaruga junaruga commented Jul 9, 2026

Copy link
Copy Markdown
Member

Merge create_mldsa65_certs.sh into create_certs.sh, removing duplicated logic
between create_certs.sh and create_mldsa65_certs.sh files.

  • Create create_ssl_certs function with genpkey_args and prefix
    arguments to manage common logic between RSA and ML-DSA-65.
  • Use "openssl genpkey" instead of "openssl genrsa" for RSA key generation.
  • Don't use openssl.cnf any more.
  • Create temporary files under tmp/create_certs/
  • Remove tool/create_mldsa65_certs.sh as its logic is now in
    create_certs.sh

The 1st commit is the refactoring for the create_mldsa65_certs.sh and create_certs.sh.
The 2nd commit is to upgrade SSL/TLS RSA test/rubygems/*.pem files generated by new create_certs.sh.

Note that previous "openssl ca" commands did output human-readable text + PEM format.
With new openssl commands, the human readable texts are removed.
This is not a problem.

test/rubygems/ca_cert.pem
test/rubygems/client.pem
test/rubygems/ssl_cert.pem

Assisted-by: Claude:claude-opus-4-6[1m]

What was the end-user or developer problem that led to this PR?

tool/create_certs.sh and tool/create_mldsa65_certs.sh has duplicated logic for each other. This situation is not convenient when managing the files and adding new algorithms.

What is your fix for the problem, implemented in this PR?

Merged tool/create_mldsa65_certs.sh into tool/create_certs.sh, removing duplicated logic.

Make sure the following tasks are checked

@junaruga junaruga force-pushed the wip/refactor-create_certs-sh branch 2 times, most recently from a385ae8 to bd6c992 Compare July 10, 2026 08:20
junaruga added 2 commits July 10, 2026 09:44
Merge create_mldsa65_certs.sh into create_certs.sh, removing duplicated logic
between create_certs.sh and create_mldsa65_certs.sh files.

* Create create_ssl_certs function with genpkey_args and prefix
  arguments to manage common logic between RSA and ML-DSA-65.
* Use "openssl genpkey" instead of "openssl genrsa" for RSA key generation.
* Don't use openssl.cnf any more.
* Create temporary files under tmp/create_certs/
* Remove tool/create_mldsa65_certs.sh as its logic is now in
  create_certs.sh

Assisted-by: Claude:claude-opus-4-6[1m]
…certs.sh

Note that previous "openssl ca" commands did output human-readable text + PEM
format for the following files. With new openssl commands, the human readable
texts are removed. This is not a problem.

```
test/rubygems/ca_cert.pem
test/rubygems/client.pem
test/rubygems/ssl_cert.pem
```

Assisted-by: Claude:claude-opus-4-6[1m]
@junaruga junaruga force-pushed the wip/refactor-create_certs-sh branch from bd6c992 to 5e98341 Compare July 10, 2026 08:44
@junaruga

junaruga commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

Note that I confirmed that RSA 2048 bits CA/Server/Client certificate and key files by the following openssl commands.

$ openssl x509 -in test/rubygems/ca_cert.pem -noout -text | grep Algorithm
        Signature Algorithm: sha256WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha256WithRSAEncryption
    
$ openssl x509 -in test/rubygems/ssl_cert.pem -noout -text | grep Algorithm
        Signature Algorithm: sha256WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha256WithRSAEncryption
    
$ openssl x509 -in test/rubygems/client.pem -noout -text | grep Algorithm
        Signature Algorithm: sha256WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha256WithRSAEncryption

$ openssl pkey -in test/rubygems/ssl_key.pem -noout -text | head -1
Private-Key: (2048 bit, 2 primes)

@junaruga

Copy link
Copy Markdown
Member Author

@hsbt This PR is ready to be reviewed. Could you review the PR? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant