# File lib/chef/certificate.rb, line 32
      def generate_signing_ca
        ca_cert_file = Chef::Config[:signing_ca_cert]
        ca_keypair_file = Chef::Config[:signing_ca_key]

        unless File.exists?(ca_cert_file) && File.exists?(ca_keypair_file)
          Chef::Log.info("Creating new signing certificate")

          [ ca_cert_file, ca_keypair_file ].each do |f|
            ca_basedir = File.dirname(f)
            FileUtils.mkdir_p ca_basedir
          end

          keypair = OpenSSL::PKey::RSA.generate(1024)

          ca_cert = OpenSSL::X509::Certificate.new
          ca_cert.version = 3
          ca_cert.serial = 1
          info = [
            ["C", Chef::Config[:signing_ca_country]],
            ["ST", Chef::Config[:signing_ca_state]],
            ["L", Chef::Config[:signing_ca_location]],
            ["O", Chef::Config[:signing_ca_org]],
            ["OU", "Certificate Service"],
            ["CN", "#{Chef::Config[:signing_ca_domain]}/emailAddress=#{Chef::Config[:signing_ca_email]}"]
          ]
          ca_cert.subject = ca_cert.issuer = OpenSSL::X509::Name.new(info)
          ca_cert.not_before = Time.now
          ca_cert.not_after = Time.now + 10 * 365 * 24 * 60 * 60 # 10 years
          ca_cert.public_key = keypair.public_key

          ef = OpenSSL::X509::ExtensionFactory.new
          ef.subject_certificate = ca_cert
          ef.issuer_certificate = ca_cert
          ca_cert.extensions = [
                  ef.create_extension("basicConstraints", "CA:TRUE", true),
                  ef.create_extension("subjectKeyIdentifier", "hash"),
                  ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
          ]
          ca_cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
          ca_cert.sign keypair, OpenSSL::Digest::SHA1.new

          File.open(ca_cert_file, "w") { |f| f.write ca_cert.to_pem }
          File.open(ca_keypair_file, File::WRONLY|File::EXCL|File::CREAT, 0600) { |f| f.write keypair.to_pem }
          if (Chef::Config[:signing_ca_user] && Chef::Config[:signing_ca_group])
            FileUtils.chown(Chef::Config[:signing_ca_user], Chef::Config[:signing_ca_group], ca_keypair_file)
          end
        end
        self
      end