I'm looking for a library/module/package with which I could create and sign X.509 certificates, with the ability to conditionally add custom v3 extensions – which can be fairly complicated; for example, this bletchful OpenSSL.cnf snippet used by Kerberos PKINIT, just to represent [email protected]:
[v3_extensions]
subjectAltName = email:[email protected],
otherName:pkinitSan;SEQUENCE:krb_princ_name_1
[krb_princ_name_1]
realm = EXP:0, GeneralString:EXAMPLE.ORG
principal_name = EXP:1, SEQUENCE:krb_princ_seq_1
[krb_princ_seq_1]
name_type = EXP:0, INTEGER:1
name_string = EXP:0, SEQUENCE:krb_principal_1
[krb_principal_1]
princ0 = GeneralString:foo
Out of everything I have found for languages I know (that being Perl, Python, Ruby, PHP, Bash, and some C#), using openssl from command line with automatically generated .cnf files... which is an ugly process. Is there a better way to do it? (Ruby's 'openssl' looked very nice at first, but then I got to PKINIT...)
As it turns out, I added exactly this information to the documentation for Ruby 1.9.3, which was just published today by James Britt - have a look at the documentation for OpenSSL::X509::Certificate, it should answer all your questions.
Modifying the examples there to generate the particular extensions listed in your example should be straightforward if that particular extension is supported by OpenSSL itself.
For more complicated cases, e.g. the custom OtherName in your example, you may still use OpenSSL::X509::Extension, which is not documented yet, unfortunately. The OpenSSL::ASN1 module needed for such custom extensions on the other hand has been documented for 1.9.3, and all the code/advice presented there should be applicable to 1.9.2 as well. You could also use the ASN1 module to create a multi-valued version of subjectAltName.