Type:
Class
The X509 certificate store holds trusted CA certificates used to verify peer certificates.
The easiest way to create a useful certificate store is:
1 2 | cert_store = OpenSSL::X509::Store.newcert_store.set_default_paths |
This will use your system's built-in certificates.
If your system does not have a default set of certificates you can obtain a set from Mozilla here: curl.haxx.se/docs/caextract.html (Note that this set does not have an HTTPS download option so you may wish to use the firefox-db2pem.sh script to extract the certificates from a local install to avoid man-in-the-middle attacks.)
After downloading or generating a cacert.pem from the above link you can create a certificate store from the pem file like this:
1 2 | cert_store = OpenSSL::X509::Store.newcert_store.add_file 'cacert.pem' |
The certificate store can be used with an SSLSocket like this:
1 2 3 4 5 6 | ssl_context = OpenSSL::SSL::SSLContext.newssl_context.cert_store = cert_storetcp_socket = TCPSocket.open 'example.com', 443ssl_socket = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context |