Hello, thank you for the article. But I had to change the code a bit to get it working. Here you have it:
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import hashes, serialization from cryptography import x509 from cryptography.x509.oid import NameOID import datetime one_day = datetime.timedelta(days=1) today = datetime.date.today()
yest = today - one_day tom = today + one_day yesterday = datetime.datetime(yest.year, yest.month, yest.day) tomorrow = datetime.datetime(tom.year, tom.month, tom.day)
private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() )
ca_name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'Simple Test CA'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Organization'), x509.NameAttribute(NameOID.COUNTRY_NAME, u'US') ])
public_key = private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name(ca_name) builder = builder.issuer_name(ca_name) builder = builder.not_valid_before(yesterday) builder = builder.not_valid_after(tomorrow) builder = builder.serial_number(12345)#x509.random_serial_number()) builder = builder.public_key(public_key) builder = builder.add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True) certificate = builder.sign( private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend() ) private_bytes = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) public_bytes = certificate.public_bytes( encoding=serialization.Encoding.PEM) with open("caa_ca.pem", "wb") as fout: fout.write(private_bytes + public_bytes) with open("caa_ca.crt", "wb") as fout: fout.write(public_bytes)
service_private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) service_public_key = service_private_key.public_key() builder = x509.CertificateBuilder() builder = builder.subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, 'service.test.local') ])) builder = builder.issuer_name(ca_name) builder = builder.serial_number(123456) builder = builder.not_valid_before(yesterday) builder = builder.not_valid_after(tomorrow) builder = builder.public_key(public_key) certificate = builder.sign( private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend() ) private_bytes = service_private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) public_bytes = certificate.public_bytes( encoding=serialization.Encoding.PEM) with open("caa_service.pem", "wb") as fout: fout.write(private_bytes + public_bytes)
Hello,
thank you for the article. But I had to change the code a bit to get it working.
Here you have it:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import hashes, serialization
from cryptography import x509
from cryptography.x509.oid import NameOID
import datetime
one_day = datetime.timedelta(days=1)
today = datetime.date.today()
yest = today - one_day
tom = today + one_day
yesterday = datetime.datetime(yest.year, yest.month, yest.day)
tomorrow = datetime.datetime(tom.year, tom.month, tom.day)
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
ca_name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'Simple Test CA'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Organization'),
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')
])
public_key = private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(ca_name)
builder = builder.issuer_name(ca_name)
builder = builder.not_valid_before(yesterday)
builder = builder.not_valid_after(tomorrow)
builder = builder.serial_number(12345)#x509.random_serial_number())
builder = builder.public_key(public_key)
builder = builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
private_bytes = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
public_bytes = certificate.public_bytes(
encoding=serialization.Encoding.PEM)
with open("caa_ca.pem", "wb") as fout:
fout.write(private_bytes + public_bytes)
with open("caa_ca.crt", "wb") as fout:
fout.write(public_bytes)
service_private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
service_public_key = service_private_key.public_key()
builder = x509.CertificateBuilder()
builder = builder.subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, 'service.test.local')
]))
builder = builder.issuer_name(ca_name)
builder = builder.serial_number(123456)
builder = builder.not_valid_before(yesterday)
builder = builder.not_valid_after(tomorrow)
builder = builder.public_key(public_key)
certificate = builder.sign(
private_key=private_key, algorithm=hashes.SHA256(),
backend=default_backend()
)
private_bytes = service_private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
public_bytes = certificate.public_bytes(
encoding=serialization.Encoding.PEM)
with open("caa_service.pem", "wb") as fout:
fout.write(private_bytes + public_bytes)