[Cryptography-dev] How to add the extension 'subject directory attributes' to a certificate using Python?

Aow Tea aowtea at gmail.com
Thu Dec 8 09:13:35 EST 2016 

Dear everyone,
       I have a trouble in adding the extension 'subject directory
attributes' to a certificate using Python. I have tried to use
'subjectDirAttrs' and 'subjectDirectoryAttributes', but neither of them can
work. The error is 'OpenSSL.crypto.Error: [('X509 V3 routines',
'DO_EXT_NCONF', 'unknown extension name'), ('X509 V3 routines',
'X509V3_EXT_nconf', 'error in extension')]'.

        I have installed PyOpenSSL v16.1.0 and imported crypto from OpenSSL
as the code below shows. My programming environment is Ubuntu 16.04.1 x64
and Python 2.7.12. Can anyone give a practical solution?

        In addition, when I want to add another extension 'certificate
policies', the error is 'OpenSSL.crypto.Error: [('X509 V3 routines',
'DO_EXT_NCONF', 'no config database'), ('X509 V3 routines',
'X509V3_EXT_nconf', 'error in extension')]'.  Can anyone tell me how to add
this extension to a certificate?


        Thanks in advance!

        # My code

#! /usr/bin/env python

from OpenSSL import crypto

newSubject=crypto.X509Name(crypto.X509().get_subject())

newSubject.C='US'
newSubject.ST='California'
newSubject.O='University of California, Davis'
newSubject.OU='Computer Science, UCDavis'
newSubject.CN='www.cs.ucdavis.edu'

newCert=crypto.X509()
newCert.set_version(2)
newCert.set_serial_number(2016120711)
newCert.set_notBefore('20161207125959Z')
newCert.set_notAfter('20171207125959Z')
newCert.set_issuer(newSubject)
newCert.set_subject(newSubject)

pkObject=crypto.PKey()
pkObject.generate_key(crypto.TYPE_RSA,2048)

newCert.set_pubkey(pkObject)

newExt=crypto.X509Extension('basicConstraints', True, 'CA:true')
newCert.add_extensions([newExt])

newExt=crypto.X509Extension('subjectDirAttrs', True, 'something')
newCert.add_extensions([newExt])


newCert.sign(pkObject,'sha256')
with open('sample.pem','w') as f:
    f.write(crypto.dump_certificate(crypto.FILETYPE_PEM,newCert))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20161208/2c0b6bdc/attachment.html>

More information about the Cryptography-dev mailing list