[pyOpenSSL] CA signing question
Arnaud Desmons
arnaud.desmons at free.fr
Tue Nov 20 19:34:07 CET 2007
> I'm trying to use your pyOpenSSL python wrapper to sign a .csr with a CA
> cerificate, however I don't understand how your code works (most
> domcumentation seems to be written with a client-server perspective of
> ecrypting communication).
>
> I could find the
> > static PyObject *
> > crypto_X509_sign(crypto_X509Obj *self, PyObject *args)
> function (which seems to be what I'm looking for), but I do not
> understand how to instantiate an X509 object - the
> load_certificate(type, buffer) method seems to be relevant, but I fail
> to supply it with the correct arguments...
Hi,
Here is the code I use in vulture-pki to sign a certificat.
This is a certificat object's method (nothing to deal with pyOpenSSL).
def sign(self):
req = crypto.X509Req()
subj = req.get_subject()
setattr(subj, 'CN', self.cn)
setattr(subj, 'emailAddress', self.mail)
setattr(subj, 'ST', self.st)
setattr(subj, 'O', self.organisation)
setattr(subj, 'C', self.country)
pkey = crypto.PKey()
pkey.generate_key(self.profile.key_type, self.profile.key_size)
req.set_pubkey(pkey)
req.sign(pkey, 'md5')
self.pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
x509 = crypto.X509()
x509.set_subject(req.get_subject())
x509.set_pubkey(req.get_pubkey())
cacert = crypto.load_certificate(crypto.FILETYPE_PEM, self.profile.ca_cert)
cakey = crypto.load_privatekey(crypto.FILETYPE_PEM, self.profile.ca_key)
x509.set_issuer(cacert.get_subject())
x509.set_serial_number(self.id)
x509.gmtime_adj_notBefore(0)
delta = self.valid_until.date() - self.date.date();
x509.gmtime_adj_notAfter(delta.days * 60 * 60 * 24)
x509.sign(cakey, self.profile.digest)
self.x509 = crypto.dump_certificate(crypto.FILETYPE_PEM, x509)
Hope it will help.
Regards,
--
Arnaud
More information about the pyopenssl-users
mailing list