# File lib/hiera/backend/eyaml/encryptors/pkcs7.rb, line 55
          def self.create_keys

            # Try to do equivalent of:
            # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'

            public_key = self.option :public_key
            private_key = self.option :private_key

            key = OpenSSL::PKey::RSA.new(2048)
            Utils.ensure_key_dir_exists private_key
            Utils.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600

            name = OpenSSL::X509::Name.parse("/")
            cert = OpenSSL::X509::Certificate.new()
            cert.serial = 0
            cert.version = 2
            cert.not_before = Time.now
            cert.not_after = if 1.size == 8       # 64bit
              Time.now + 50 * 365 * 24 * 60 * 60
            else                                  # 32bit
              Time.at(0x7fffffff)
            end
            cert.public_key = key.public_key

            ef = OpenSSL::X509::ExtensionFactory.new
            ef.subject_certificate = cert
            ef.issuer_certificate = cert
            cert.extensions = [
              ef.create_extension("basicConstraints","CA:TRUE", true),
              ef.create_extension("subjectKeyIdentifier", "hash"),
            ]
            cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                                   "keyid:always,issuer:always")

            cert.sign key, OpenSSL::Digest::SHA1.new

            Utils.ensure_key_dir_exists public_key
            Utils.write_important_file :filename => public_key, :content => cert.to_pem
            puts "Keys created OK"

          end