By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,587 Members | 1,677 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,587 IT Pros & Developers. It's quick & easy.

python openssl x509 CA

P: n/a
Hello,
I'm fighting with Certificate Authority functionality with python
I stuck on following problem: How to sign CSR using CA key and write
resulted certificate.

You can do it using following openssl cmd:
openssl ca -cert CA/cert.pem -keyfile CA/private/cakey.pem -policy
policy_anything -out user_cert.pem -infiles userreq.pem

My try was:
import OpenSSL.crypto as pki
#load CA key:
ca_key=pki.load_privatekey(pki.FILETYPE_PEM,open(' CA/private/
cakey.pem').read(),'haselko')
#load user's csr:
csr=pki.load_certificate_request(pki.FILETYPE_PEM, open('userreq.pem').read())
# sign csr
csr.sign(ca_key,'sha1')
I don't get any erorrs however I dont' see any way to write or get
result from such operation
csr exports following methods:
csr.add_extensions csr.get_pubkey csr.get_subject
csr.set_pubkey csr.sign csr.verify

I want to create pure python implementation without use of openssl
wrapped with python code.

Regards,
Oct 31 '08 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On 2008-10-31 11:10, Marcin Jurczuk wrote:
Hello,
I'm fighting with Certificate Authority functionality with python
I stuck on following problem: How to sign CSR using CA key and write
resulted certificate.

You can do it using following openssl cmd:
openssl ca -cert CA/cert.pem -keyfile CA/private/cakey.pem -policy
policy_anything -out user_cert.pem -infiles userreq.pem

My try was:
import OpenSSL.crypto as pki
#load CA key:
ca_key=pki.load_privatekey(pki.FILETYPE_PEM,open(' CA/private/
cakey.pem').read(),'haselko')
#load user's csr:
csr=pki.load_certificate_request(pki.FILETYPE_PEM, open('userreq.pem').read())
# sign csr
csr.sign(ca_key,'sha1')
I don't get any erorrs however I dont' see any way to write or get
result from such operation
csr exports following methods:
csr.add_extensions csr.get_pubkey csr.get_subject
csr.set_pubkey csr.sign csr.verify
You need to use crypto.dump_certificate() to dump and then
write the certificate back to disk.

BTW: There's a good example in the pyOpenSSL examples dir
for these things:

http://svn.dave.cridland.net/svn/pro...les/certgen.py
http://svn.dave.cridland.net/svn/pro...imple_certs.py
I want to create pure python implementation without use of openssl
wrapped with python code.
Good luck with that :-)

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source (#1, Oct 31 2008)
>>Python/Zope Consulting and Support ... http://www.egenix.com/
mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
__________________________________________________ ______________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
Oct 31 '08 #2

P: n/a
Marcin Jurczuk <mj******@gmail.comwrites:
I want to create pure python implementation without use of openssl
wrapped with python code.
There was a CA written in Python quite a while back, http://pyca.de .
I don't know if it's maintained these days.
Oct 31 '08 #3

P: n/a
Paul Rubin wrote:
Marcin Jurczuk <mj******@gmail.comwrites:
>I want to create pure python implementation without use of openssl
wrapped with python code.

There was a CA written in Python quite a while back, http://pyca.de .
That was the usual approach with invoking the openssl command-line tool
from Python. Today I'd do *everything* differently. Well, it was the
result of learning Python, PKI, LDAP and web programming all at once
back then.
I don't know if it's maintained these days.
No, it's not. Being the author I know this for sure. ;-)

Ciao, Michael.
Oct 31 '08 #4

This discussion thread is closed

Replies have been disabled for this discussion.