Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > python openssl x509 CA

Reply
Thread Tools

python openssl x509 CA

 
 
Marcin Jurczuk
Guest
Posts: n/a
 
      10-31-2008
Hello,
I'm fighting with Certificate Authority functionality with python
I stuck on following problem: How to sign CSR using CA key and write
resulted certificate.

You can do it using following openssl cmd:
openssl ca -cert CA/cert.pem -keyfile CA/private/cakey.pem -policy
policy_anything -out user_cert.pem -infiles userreq.pem

My try was:
import OpenSSL.crypto as pki
#load CA key:
ca_key=pki.load_privatekey(pki.FILETYPE_PEM,open(' CA/private/
cakey.pem').read(),'haselko')
#load user's csr:
csr=pki.load_certificate_request(pki.FILETYPE_PEM, open('userreq.pem').read())
# sign csr
csr.sign(ca_key,'sha1')
I don't get any erorrs however I dont' see any way to write or get
result from such operation
csr exports following methods:
csr.add_extensions csr.get_pubkey csr.get_subject
csr.set_pubkey csr.sign csr.verify

I want to create pure python implementation without use of openssl
wrapped with python code.

Regards,
 
Reply With Quote
 
 
 
 
M.-A. Lemburg
Guest
Posts: n/a
 
      10-31-2008
On 2008-10-31 11:10, Marcin Jurczuk wrote:
> Hello,
> I'm fighting with Certificate Authority functionality with python
> I stuck on following problem: How to sign CSR using CA key and write
> resulted certificate.
>
> You can do it using following openssl cmd:
> openssl ca -cert CA/cert.pem -keyfile CA/private/cakey.pem -policy
> policy_anything -out user_cert.pem -infiles userreq.pem
>
> My try was:
> import OpenSSL.crypto as pki
> #load CA key:
> ca_key=pki.load_privatekey(pki.FILETYPE_PEM,open(' CA/private/
> cakey.pem').read(),'haselko')
> #load user's csr:
> csr=pki.load_certificate_request(pki.FILETYPE_PEM, open('userreq.pem').read())
> # sign csr
> csr.sign(ca_key,'sha1')
> I don't get any erorrs however I dont' see any way to write or get
> result from such operation
> csr exports following methods:
> csr.add_extensions csr.get_pubkey csr.get_subject
> csr.set_pubkey csr.sign csr.verify


You need to use crypto.dump_certificate() to dump and then
write the certificate back to disk.

BTW: There's a good example in the pyOpenSSL examples dir
for these things:

http://svn.dave.cridland.net/svn/pro...les/certgen.py
http://svn.dave.cridland.net/svn/pro...imple_certs.py

> I want to create pure python implementation without use of openssl
> wrapped with python code.


Good luck with that

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source (#1, Oct 31 200
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

__________________________________________________ ______________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
 
Reply With Quote
 
 
 
 
Paul Rubin
Guest
Posts: n/a
 
      10-31-2008
Marcin Jurczuk <(E-Mail Removed)> writes:
> I want to create pure python implementation without use of openssl
> wrapped with python code.


There was a CA written in Python quite a while back, http://pyca.de .
I don't know if it's maintained these days.
 
Reply With Quote
 
Michael Ströder
Guest
Posts: n/a
 
      10-31-2008
Paul Rubin wrote:
> Marcin Jurczuk <(E-Mail Removed)> writes:
>> I want to create pure python implementation without use of openssl
>> wrapped with python code.

>
> There was a CA written in Python quite a while back, http://pyca.de .


That was the usual approach with invoking the openssl command-line tool
from Python. Today I'd do *everything* differently. Well, it was the
result of learning Python, PKI, LDAP and web programming all at once
back then.

> I don't know if it's maintained these days.


No, it's not. Being the author I know this for sure.

Ciao, Michael.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ruby and OpenSSL: no such file to load -- openssl (RuntimeError) Redd Vinylene Ruby 6 11-18-2008 08:51 AM
Java and X509 Certificates .. help!! paxtra Java 0 08-17-2006 06:42 AM
To get from the browser (web client), the server X509 certificate used in an SSL established session paxtra@gmail.com Java 0 08-02-2006 08:02 AM
saving a OpenSSL::X509::Certificate as PKCS#12? Magnus Bodin Ruby 3 03-20-2005 09:28 PM
Keyset does not exist at Microsoft.Web.Services.Security.X509.X509 Keyset does not exist X509Certificate ASP .Net Web Services 0 06-12-2004 01:07 AM



Advertisments