python openssl x509 CA

Discussion in 'Python' started by Marcin Jurczuk, Oct 31, 2008.

  1. Hello,
    I'm fighting with Certificate Authority functionality with python
    I stuck on following problem: How to sign CSR using CA key and write
    resulted certificate.

    You can do it using following openssl cmd:
    openssl ca -cert CA/cert.pem -keyfile CA/private/cakey.pem -policy
    policy_anything -out user_cert.pem -infiles userreq.pem

    My try was:
    import OpenSSL.crypto as pki
    #load CA key:
    ca_key=pki.load_privatekey(pki.FILETYPE_PEM,open('CA/private/
    cakey.pem').read(),'haselko')
    #load user's csr:
    csr=pki.load_certificate_request(pki.FILETYPE_PEM,open('userreq.pem').read())
    # sign csr
    csr.sign(ca_key,'sha1')
    I don't get any erorrs however I dont' see any way to write or get
    result from such operation
    csr exports following methods:
    csr.add_extensions csr.get_pubkey csr.get_subject
    csr.set_pubkey csr.sign csr.verify

    I want to create pure python implementation without use of openssl
    wrapped with python code.

    Regards,
    Marcin Jurczuk, Oct 31, 2008
    #1
    1. Advertising

  2. On 2008-10-31 11:10, Marcin Jurczuk wrote:
    > Hello,
    > I'm fighting with Certificate Authority functionality with python
    > I stuck on following problem: How to sign CSR using CA key and write
    > resulted certificate.
    >
    > You can do it using following openssl cmd:
    > openssl ca -cert CA/cert.pem -keyfile CA/private/cakey.pem -policy
    > policy_anything -out user_cert.pem -infiles userreq.pem
    >
    > My try was:
    > import OpenSSL.crypto as pki
    > #load CA key:
    > ca_key=pki.load_privatekey(pki.FILETYPE_PEM,open('CA/private/
    > cakey.pem').read(),'haselko')
    > #load user's csr:
    > csr=pki.load_certificate_request(pki.FILETYPE_PEM,open('userreq.pem').read())
    > # sign csr
    > csr.sign(ca_key,'sha1')
    > I don't get any erorrs however I dont' see any way to write or get
    > result from such operation
    > csr exports following methods:
    > csr.add_extensions csr.get_pubkey csr.get_subject
    > csr.set_pubkey csr.sign csr.verify


    You need to use crypto.dump_certificate() to dump and then
    write the certificate back to disk.

    BTW: There's a good example in the pyOpenSSL examples dir
    for these things:

    http://svn.dave.cridland.net/svn/projects/pyopenssl/dwd/examples/certgen.py
    http://svn.dave.cridland.net/svn/projects/pyopenssl/dwd/examples/mk_simple_certs.py

    > I want to create pure python implementation without use of openssl
    > wrapped with python code.


    Good luck with that :)

    --
    Marc-Andre Lemburg
    eGenix.com

    Professional Python Services directly from the Source (#1, Oct 31 2008)
    >>> Python/Zope Consulting and Support ... http://www.egenix.com/
    >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
    >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

    ________________________________________________________________________

    :::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


    eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
    Registered at Amtsgericht Duesseldorf: HRB 46611
    M.-A. Lemburg, Oct 31, 2008
    #2
    1. Advertising

  3. Marcin Jurczuk

    Paul Rubin Guest

    Marcin Jurczuk <> writes:
    > I want to create pure python implementation without use of openssl
    > wrapped with python code.


    There was a CA written in Python quite a while back, http://pyca.de .
    I don't know if it's maintained these days.
    Paul Rubin, Oct 31, 2008
    #3
  4. Paul Rubin wrote:
    > Marcin Jurczuk <> writes:
    >> I want to create pure python implementation without use of openssl
    >> wrapped with python code.

    >
    > There was a CA written in Python quite a while back, http://pyca.de .


    That was the usual approach with invoking the openssl command-line tool
    from Python. Today I'd do *everything* differently. Well, it was the
    result of learning Python, PKI, LDAP and web programming all at once
    back then.

    > I don't know if it's maintained these days.


    No, it's not. Being the author I know this for sure. ;-)

    Ciao, Michael.
    Michael Ströder, Oct 31, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    534
  2. paxtra
    Replies:
    0
    Views:
    401
    paxtra
    Aug 17, 2006
  3. Keyset does not exist X509Certificate

    Keyset does not exist at Microsoft.Web.Services.Security.X509.X509

    Keyset does not exist X509Certificate, Jun 12, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    201
    Keyset does not exist X509Certificate
    Jun 12, 2004
  4. Magnus Bodin
    Replies:
    3
    Views:
    293
    Magnus Bodin
    Mar 20, 2005
  5. Redd Vinylene
    Replies:
    6
    Views:
    305
    Jakub Pawlowicz
    Nov 18, 2008
Loading...

Share This Page