class Localhost::Authority

def certificate
	@certificate ||= OpenSSL::X509::Certificate.new.tap do |certificate|
		certificate.subject = self.name
		# We use the same issuer as the subject, which makes this certificate self-signed:
		certificate.issuer = self.name
		
		certificate.public_key = self.key.public_key
		
		certificate.serial = 1
		certificate.version = 2
		
		certificate.not_before = Time.now
		certificate.not_after = Time.now + (3600 * 24 * 365 * 10)
		
		extension_factory = OpenSSL::X509::ExtensionFactory.new
		extension_factory.subject_certificate = certificate
		extension_factory.issuer_certificate = certificate
		
		certificate.extensions = [
			extension_factory.create_extension("basicConstraints", "CA:FALSE", true),
			extension_factory.create_extension("subjectKeyIdentifier", "hash"),
		]
		
		certificate.add_extension extension_factory.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
		certificate.add_extension extension_factory.create_extension("subjectAltName", "DNS: #{@hostname}")
		
		certificate.sign self.key, OpenSSL::Digest::SHA256.new
	end
end