-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathpython_pyopenssl_certificates.py
executable file
·127 lines (104 loc) · 4.04 KB
/
python_pyopenssl_certificates.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/python
# -*- coding: utf-8 -*-
'''
python_pyopenssl_certificates.py
Generates a CA certificate and 509 certificates
- Needs PyOpenSSL (pip install PyOpenSSL)
- Inspired by https://gist.github.com/eskil/2338529
- https://www.programcreek.com/python/example/83358/OpenSSL.crypto.X509Extension
@author: Luis Martin Gil
@contact: [email protected]
https://github.com/luismartingil
www.luismartingil.com
'''
from OpenSSL import crypto, SSL
from time import gmtime, mktime
BYTES=1024
TIME_UNIT=24 * 60 * 60
HASH_ALGORITHM='sha256'
SERIAL_NUMBER=1000
VALID_DAYS_BEFORE=5 # Valid starting X days ago (helps when inmediatly validating)
VALID_YEARS_AFTER=10 # Valid until now + X number of years
EXT_CERT='crt'
EXT_KEY='key'
CA_C="ES" # countryName
CA_ST='Madrid' # stateOrProvinceName
CA_L='Madrid' # localityName
CA_O='ca.sipplauncher' # organizationName
CA_OU='ca.sipplauncher' # organizationalUnitName
class CAOpenSSL(object):
ca_cert = None
ca_key = None
@staticmethod
def _create_cert_key_pair(cn):
""" Generates a given cert and key using the CN (commonName) param
"""
# Generate 509 cert
cert = crypto.X509()
cert.get_subject().C = CA_C
cert.get_subject().ST = CA_ST
cert.get_subject().L = CA_L
cert.get_subject().O = CA_O
cert.get_subject().OU = CA_OU
cert.get_subject().CN = cn
cert.set_serial_number(SERIAL_NUMBER)
cert.gmtime_adj_notBefore(- TIME_UNIT * VALID_DAYS_BEFORE)
cert.gmtime_adj_notAfter(TIME_UNIT * 365 * VALID_YEARS_AFTER)
cert.set_issuer(cert.get_subject())
# Generate key
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, BYTES)
# Signing certificate using key
cert.set_pubkey(key)
cert.sign(key, HASH_ALGORITHM)
return cert, key
@staticmethod
def _write_cert_key_pair(cert, key, cn, prefix):
""" Writes to disk the cert and key
"""
cert_filename = '{0}-{1}.{2}'.format(prefix, cn, EXT_CERT)
key_filename = '{0}-{1}.{2}'.format(prefix, cn, EXT_KEY)
open(cert_filename, "wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
print('Saved cert file: "{0}"'.format(cert_filename))
open(key_filename, "wb").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
print('Saved key file: "{0}"'.format(key_filename))
def create_ca_cert(self, cn, prefix='rootCA'):
""" Creates CA cert
"""
self.ca_cert, self.ca_key = CAOpenSSL._create_cert_key_pair(cn)
self.ca_cert.add_extensions([
crypto.X509Extension(b'basicConstraints', True, b'CA:TRUE'),
crypto.X509Extension(b'subjectKeyIdentifier', False, b'hash', subject=self.ca_cert)
])
CAOpenSSL._write_cert_key_pair(self.ca_cert, self.ca_key, cn, prefix)
def create_server_cert(self, cn, prefix='server'):
""" Creates server cert which is CA-signed
"""
server_cert, server_key = CAOpenSSL._create_cert_key_pair(cn)
# Signing server certificate using ca key
server_cert.set_issuer(self.ca_cert.get_subject())
server_cert.sign(self.ca_key, HASH_ALGORITHM)
CAOpenSSL._write_cert_key_pair(server_cert, server_key, cn, prefix)
ca = CAOpenSSL()
ca.create_ca_cert('ca.zaleos.net')
# Create as much as ca-signed certificates as needed
for ip in [200, 190, 191]:
# passing CN - commonName
cn = '10.22.22.{0}'.format(ip)
ca.create_server_cert(cn)
"""
$ rm -f *.crt *.key ; time python test.py
Saved cert file: "rootCA-ca.zaleos.net.crt"
Saved key file: "rootCA-ca.zaleos.net.key"
Saved cert file: "server-10.22.22.200.crt"
Saved key file: "server-10.22.22.200.key"
Saved cert file: "server-10.22.22.190.crt"
Saved key file: "server-10.22.22.190.key"
Saved cert file: "server-10.22.22.191.crt"
Saved key file: "server-10.22.22.191.key"
# Tips:
# openssl x509 -in <cert> -noout -text
# openssl verify -CAfile <ca-cert> <server-cert>
$ openssl verify -CAfile rootCA-ca.zaleos.net.crt server-10.22.22.191.crt
server-10.22.22.191.crt: OK
"""