def make_csr(private_key: bytes) -> str: """Return a CSR based on the given private key. :param private_key: :return csr: """ csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, cache.get('csr_country_name') or 'GB'), x509.NameAttribute( NameOID.STATE_OR_PROVINCE_NAME, cache.get('csr_state_or_province_name') or 'Middlesex'), x509.NameAttribute(NameOID.LOCALITY_NAME, cache.get('csr_locality_name') or 'London'), x509.NameAttribute( NameOID.ORGANIZATIONAL_UNIT_NAME, cache.get('csr_organizational_unit_name') or 'My TPP'), x509.NameAttribute(NameOID.COMMON_NAME, cache.get('csr_common_name') or 'IT'), ])).sign(private_key, hashes.SHA256(), default_backend()) return csr
def csRequest(self): # Generate a CSR csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), ])).add_extension( x509.SubjectAlternativeName([ # Describe what sites we want this certificate for. x509.DNSName(u"mysite.com"), ]), critical=False, # Sign the CSR with our private key. ).sign(self.key, hashes.SHA256()) # Write our CSR out to disk. with open(self.path, "wb") as f: # path = path/to/store/csr.pem f.write(csr.public_bytes(serialization.Encoding.PEM))
def generate_certificate_signing_request(self, slot, public_key, subject, touch_callback=None): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, subject), ])) try: return self.sign_csr_builder(slot, public_key, builder, touch_callback=touch_callback) except APDUError as e: logger.error( 'Failed to generate Certificate Signing Request for slot %s', slot, exc_info=e) raise
def generate(fqdn, write_dir, key_length, mode, owner_uid, group_gid): """Generate a key and CSR for headless operation. The private key is written out to the provided directory and the CSR is returned as a PEM encoded string. """ public_exp = 65537 priv_key = rsa.generate_private_key( public_exponent=public_exp, key_size=key_length, backend=default_backend()) for key_filename in (KEY_FILENAME, PKCS8_KEY_FILENAME): key_format = KEY_FILENAME_TO_FORMAT.get(key_filename) if not key_format: raise GenerationError( 'Invalid key format for file {}'.format(key_filename) ) priv_key_filepath = os.path.join(write_dir, key_filename) try: with open(priv_key_filepath, 'w') as keyfile: keyfile.write(priv_key.private_bytes( encoding=serialization.Encoding.PEM, format=key_format, encryption_algorithm=serialization.NoEncryption())) os.chmod(priv_key_filepath, mode) os.chown(priv_key_filepath, owner_uid, group_gid) except IOError: raise GenerationError('Error writing key file {}'.format(keyfile)) builder = x509.CertificateSigningRequestBuilder() common_name = x509.NameAttribute( x509.oid.NameOID.COMMON_NAME, six.u(fqdn)) builder = builder.subject_name(x509.Name([common_name])) builder = builder.add_extension(x509.BasicConstraints( ca=False, path_length=None), critical=True) csr = builder.sign(priv_key, hashes.SHA256(), default_backend()) csr_pem_encoded = csr.public_bytes(serialization.Encoding.PEM) return csr_pem_encoded
def make_csr(self, common_name_prefix: str = None): """ Generate CSR. """ # Create a random common name. common_name = Nagamani19().generate() if common_name_prefix: common_name = f"{common_name_prefix}-{common_name}" # Generate the CSR. csr_unsigned = x509.CertificateSigningRequestBuilder().subject_name( x509.Name( [ # Provide various details about who we are. x509.NameAttribute(NameOID.COMMON_NAME, common_name), ] ) ) # Sign the CSR with the private key. self.csr = csr_unsigned.sign(self.private_key, hashes.SHA512())
def generate_csr_and_key(): """Return a dict with a new csr and key.""" key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"Magnum User"), ])).sign(key, hashes.SHA256(), default_backend()) result = { 'csr': csr.public_bytes(encoding=serialization.Encoding.PEM).decode("utf-8"), 'key': key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()).decode("utf-8"), } return result
def _generate_csr(cls, cn, private_key, passphrase=None): pk = serialization.load_pem_private_key( data=private_key, password=passphrase, backend=backends.default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn), ]) ) csr = csr.add_extension( x509.BasicConstraints( ca=False, path_length=None ), critical=True ) csr = csr.add_extension( x509.KeyUsage( digital_signature=True, key_encipherment=True, data_encipherment=True, key_agreement=True, content_commitment=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False ), critical=True ) csr = csr.add_extension( x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False ) signed_csr = csr.sign( pk, getattr(hashes, CONF.certificates.signing_digest.upper())(), backends.default_backend()) return signed_csr.public_bytes(serialization.Encoding.PEM)
def test_build_ca_request_with_rsa(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), ])).add_extension(x509.BasicConstraints(ca=True, path_length=2), critical=True).sign(private_key, hashes.SHA1(), backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), ] basic_constraints = request.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2
def test_add_unsupported_extension_in_backend(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), ])).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io") ]), critical=False, ).add_extension(x509.KeyUsage(digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False), critical=False) with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA256(), backend)
def certificateRequest(): user = request.form['user'] country = request.form['country'] state = request.form['state'] locality = request.form['locality'] private_key = rsa.generate_private_key( public_exponent = 65537, key_size = 2048, backend = default_backend() ) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME,str(user)), x509.NameAttribute(NameOID.COUNTRY_NAME, str(country)), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, str(state)), x509.NameAttribute(NameOID.LOCALITY_NAME,str(locality)), ])) requestcsr = builder.sign( private_key, hashes.SHA256(),default_backend() ) builder = builder.add_extension( x509.BasicConstraints(ca=False,path_length=None), critical= True ) csrpem = requestcsr.public_bytes(Encoding.PEM) with open(user+'.csr','wb') as f : f.write(csrpem) keypem = private_key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption()) with open(user+'.key','wb') as f : f.write(keypem) json_response = { "csr" : csrpem, "key" : keypem } return jsonify(json_response)
def generate_certificate_request(common_name, country=None, state=None, locality=None, organization=None, organization_unit=None, email=None, passphrase=None, _backend=None): attribs = { "common_name": common_name, "country": country, "state": state, "locality": locality, "organization": organization, "organization_unit": organization_unit, "email": email, } backend = _backend or default_backend() private_key = generate_private_key(common_name + ".key", passphrase, backend) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(x509.Name(_convert_attributes(attribs))) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) builder = builder.add_extension(x509.SubjectAlternativeName( [x509.DNSName(common_name)]), critical=True) request = builder.sign(private_key, hashes.SHA256(), backend) with open(common_name + ".csr.pem", "wb") as fo: fo.write(request.public_bytes(serialization.Encoding.PEM)) return private_key, request
def issue_certificate(server, domains, cert_key, key): # generate csr from cryptography import x509 from cryptography.x509 import NameOID assert domains try: domains = [unicode(domain) for domain in domains] except NameError: pass name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, domains[0])]) san = x509.SubjectAlternativeName( [x509.DNSName(domain) for domain in domains]) csr = x509.CertificateSigningRequestBuilder().subject_name(name) \ .add_extension(san, critical=False).sign(cert_key, hashes.SHA256(), default_backend()) csr = csr.public_bytes(serialization.Encoding.DER) # requests header = generate_header(key) nonce = get_nonce(server) payload = { 'resource': 'new-cert', 'csr': base64url_encode(csr), } r = requests.post(lookup(server, 'new-cert'), json=sign_request(payload, nonce, key)) if r.status_code == 201: # Created cert = x509.load_der_x509_certificate(r.content, default_backend()).public_bytes( serialization.Encoding.PEM) chain = r.links.get('up') if chain: inter_cert = requests.get(chain['url']).content inter_cert = x509.load_der_x509_certificate( inter_cert, default_backend()).public_bytes(serialization.Encoding.PEM) return cert + (inter_cert or b'') else: raise IOError('Issue Certificate Failed: {} {}: {}'.format( r.status_code, r.reason, r.text))
def generate_csr(common_name, dnsnames, ips, keysize): key = rsa.generate_private_key(public_exponent=65537, key_size=keysize, backend=default_backend()) key_pem = key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) csr = x509.CertificateSigningRequestBuilder() csr = csr.subject_name( x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)])) csr = csr.add_extension( x509.SubjectAlternativeName(dnsnames + ips), critical=False, ) csr = csr.sign(key, hashes.SHA256(), default_backend()) csr_pem = csr.public_bytes(serialization.Encoding.PEM) return key_pem, csr_pem
def __init__(self, initializer=None, common_name=None, private_key=None, age=None): super(CertificateSigningRequest, self).__init__( initializer=initializer, age=age) if self._value is None: if isinstance(initializer, x509.CertificateSigningRequest): self._value = initializer elif isinstance(initializer, string_types): self.ParseFromString(initializer) elif common_name and private_key: self._value = x509.CertificateSigningRequestBuilder().subject_name( x509.Name( [x509.NameAttribute(oid.NameOID.COMMON_NAME, str(common_name))])).sign( private_key.GetRawPrivateKey(), hashes.SHA256(), backend=openssl.backend) elif initializer is not None: raise rdfvalue.InitializeError( "Cannot initialize %s from %s." % (self.__class__, initializer))
def make_csr_request(domains, private_key, account, order): x509_dnsnames = [] for domain in domains: x509_dnsnames.append(x509.DNSName(domain)) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'CH'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Schwyz'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Wollerau'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Intamin'), ])).add_extension(x509.SubjectAlternativeName(x509_dnsnames), critical=False).sign(private_key, hashes.SHA256(), default_backend()) payload = {} payload['csr'] = base64_encode_as_string( csr.public_bytes(serialization.Encoding.DER)) headers, response = make_request(private_key, account, order['finalize'], payload) if DEBUG: print('CSR_RESPONSE') prettyprinter.pprint(response)
def create_csr(self) -> Dict: """Creates a csr and signing it with device private key""" self._create_keys() csr_issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, COUNTRY_NAME), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, STATE), x509.NameAttribute(NameOID.LOCALITY_NAME, LOCALITY_NAME), x509.NameAttribute(NameOID.COMMON_NAME, COMMON_NAME) ]) self.csr = x509.CertificateSigningRequestBuilder().subject_name( csr_issuer).sign(self.device_pri_key, hashes.SHA256(), default_backend()) response = {} keys = self._serialize_key_pair() response.update(keys) response.update({ 'csr': self.csr.public_bytes( encoding=serialization.Encoding.PEM).decode('utf-8') }) return response
def generate_csr(private_key, filename: str, config: Configuration): # Construction des informations qui font l'objet de la certification subject = read_configuration(config) # Génération des alternatives de serveurs DNS valides pour le certificat alt_names = [] for name in config.alt_names: alt_names.append(x509.DNSName(name)) san = x509.SubjectAlternativeName(alt_names) # Génération des différents constructeurs d'objet des attributs du CSR builder = (x509.CertificateSigningRequestBuilder().subject_name( subject).add_extension(san, critical=False)) # Signature du CSR avec la clé privée csr = builder.sign(private_key, hashes.SHA256(), default_backend()) # Écriture de la requête de signature du certificat dans le fichier PEM with open(filename, "wb") as csrfile: # FIXME Expected type 'Encoding', got 'str' instead csrfile.write(csr.public_bytes(serialization.Encoding.PEM)) return csr
def test_subject_alt_names(self, backend): private_key = RSA_KEY_2048.private_key(backend) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), ])).add_extension( x509.SubjectAlternativeName([ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), ]), critical=False, ).sign(private_key, hashes.SHA256(), backend) assert len(csr.extensions) == 1 ext = csr.extensions.get_extension_for_oid( x509.OID_SUBJECT_ALTERNATIVE_NAME) assert not ext.critical assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME assert list(ext.value) == [ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), ]
def _generate_csr(self, key, domainname): # Generate a CSR private_key = serialization.load_pem_private_key( key, password=None, backend=default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, u"BR"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"RJ"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Rio de Janeiro"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"globo.com"), x509.NameAttribute(NameOID.COMMON_NAME, domainname), ])).add_extension( x509.SubjectAlternativeName([ # Sites we want this certificate for. x509.DNSName(domainname), ]), critical=False, # Sign the CSR with our private key. ).sign(private_key, hashes.SHA256(), default_backend()) # Return serialized CSR return csr.public_bytes(serialization.Encoding.PEM)
def generate_csr(self, key): country = self.config.get(self.server, 'country') state = self.config.get(self.server, 'state') locality = self.config.get(self.server, 'locality') organization_name = self.config.get(self.server, 'organization_name') common_name = self.config.get(self.server, 'common_name') csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, country), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state), x509.NameAttribute(NameOID.LOCALITY_NAME, locality), x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name), x509.NameAttribute(NameOID.COMMON_NAME, common_name), ])).sign(key, hashes.SHA256(), default_backend()) csr_fname = '{}.csr.asc'.format(self.server) with open('{}/{}'.format(self.CONFIG_FOLDER_PATH, csr_fname), 'wb') as f: enc_csr = self.encrypt( csr.public_bytes(serialization.Encoding.PEM).decode('utf-8'), self.config.get(self.server, 'fingerprint')) f.write(bytes(str(enc_csr), 'utf-8')) return csr
def generate_csr( private_key: rsa.RSAPrivateKey = None ) -> Tuple[rsa.RSAPrivateKey, x509.CertificateSigningRequest]: """Generate a Certificate Signing Request using a few defaults. Args: private_key (rsa.RSAPrivateKey): Optional. If not supplied a key will be generated Returns: Tuple of private_key, x509.CertificateSigningRequest """ if private_key is None: private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'scepy2 client'), ])) builder = builder.add_extension( # Absolutely critical for SCEP x509.KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False), True) csr = builder.sign(private_key, hashes.SHA512(), default_backend()) return private_key, csr
def generate_keys(id, oid): #Génération de la clef publique private_key = rsa.generate_private_key(public_exponent=65537, key_size=1024, backend=default_backend()) client_infos = x509.Name([ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'REIMS'), x509.NameAttribute(NameOID.COMMON_NAME, u'{}_{}.mrt'.format(id, oid)), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'{}'.format(id)), x509.NameAttribute(NameOID.COUNTRY_NAME, u'FR') ]) public_key = private_key.public_key() csr = x509.CertificateSigningRequestBuilder() csr = csr.subject_name(client_infos) csr = csr.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=False) csr = csr.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) private_bytes = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) public_bytes = csr.public_bytes(encoding=serialization.Encoding.PEM) #Ecriture des fichiers with open("pool/keys/{}_{}.csr".format(id, oid), "wb") as fout: fout.write(public_bytes) with open("pool/keys/{}_{}.pem".format(id, oid), "wb") as fout: fout.write(private_bytes) return public_bytes
def generate_key_and_csr(thing_name): key = rsa.generate_private_key( public_exponent=65537, key_size=4096, backend=default_backend() ) log.info("Generated private key.") csr = ( x509.CertificateSigningRequestBuilder() .subject_name( x509.Name( [ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "WA"), x509.NameAttribute(NameOID.LOCALITY_NAME, "Seattle"), x509.NameAttribute( NameOID.ORGANIZATION_NAME, "IoT Static IP Endpoints" ), x509.NameAttribute(NameOID.COMMON_NAME, thing_name), ] ) ) .sign(key, hashes.SHA256(), default_backend()) ) log.info("Generated CSR") key_pem = key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ).decode("utf-8") log.info("Encoded key in pem format") csr_pem = str(csr.public_bytes(serialization.Encoding.PEM), "utf-8") log.info("Encoded CSR in pem format") return (key_pem, csr_pem)
def makeCSR(self, identifiers): # Generate a CSR ''' csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),\ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),\ x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),\ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),\ x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),\ ])).add_extension(x509.SubjectAlternativeName([\ x509.DNSName(u"mysite.com"),\ x509.DNSName(u"www.mysite.com"),\ x509.DNSName(u"subdomain.mysite.com"),\ ]), critical = False,).sign(self.private_key, hashes.SHA256(), default_backend()) csr.public_bytes(serialization.Encoding.DER) ''' print("IDENTIFIERS ARE: ", identifiers, "and are of type ", type(identifiers)) alternatives = [None] * len( identifiers) #create array to suit csr format for i in range(len(identifiers)): alternatives[i] = x509.DNSName(identifiers[i]) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ])) builder = builder.add_extension( x509.SubjectAlternativeName(alternatives), critical=False, ) request = builder.sign(self.private_key, hashes.SHA256(), default_backend()) csr = request.public_bytes(serialization.Encoding.DER) return csr
def generate_csr(key, domain_name, platform): """ generate csr for the client certificate """ domain_id = domain_name.split(".")[0].replace('time', '') ip_offset = 16 + int(domain_id) # ~ if platform == 'mobile': # ~ ip_address = '10.175.' + str(ip_offset) + '.163' # ~ sans = [x509.IPAddress(ipaddress.IPv4Address(ip_address))] # ~ common_name = ip_address # ~ elif platform == 'desktop': # ~ common_name = domain_name sans = [x509.DNSName(domain_name)] csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"MA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"Boston"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Northeastern"), x509.NameAttribute(NameOID.COMMON_NAME, domain_name), ])).add_extension( x509.SubjectAlternativeName(sans), critical=True, # Sign the CSR with our private key. ).sign(key, hashes.SHA256(), default_backend()) # Write our CSR out to disk. with open(domain_name + ".csr", "wb") as f: f.write(csr.public_bytes(serialization.Encoding.PEM)) return csr
def generate_signing_request( cn: str, dnsname: Optional[str] = None ) -> (rsa.RSAPrivateKey, x509.CertificateSigningRequest): """Generate a Private Key + Certificate Signing Request using the given dnsname as the CN and SAN dNSName. Args: cn (str): The certificate common name dnsname (str): The public facing dns name of the MDM server. Returns: Tuple of rsa private key, csr """ private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend(), ) name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, cn), x509.NameAttribute(NameOID.ORGANIZATION_NAME, 'commandment') ]) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name(name) if dnsname is not None: san = x509.SubjectAlternativeName([x509.DNSName(dnsname)]) builder = builder.add_extension(san, critical=True) builder = builder.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True) request = builder.sign(private_key, hashes.SHA256(), default_backend()) return private_key, request
def gen_csr( csr_key: RSAPrivateKey, common_name: str = "some.engineering", san_dns_names: Optional[List[str]] = None, san_ip_addresses: Optional[List[str]] = None, include_loopback: bool = True, ) -> CertificateSigningRequest: if san_dns_names is None: san_dns_names = get_local_hostnames(include_loopback=include_loopback, args=ArgumentParser.args) if san_ip_addresses is None: san_ip_addresses = get_local_ip_addresses( include_loopback=include_loopback, args=ArgumentParser.args) csr_build = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, common_name)])) if len(san_dns_names) + len(san_ip_addresses) > 0: csr_build = csr_build.add_extension( x509.SubjectAlternativeName( [x509.DNSName(n) for n in san_dns_names] + [x509.IPAddress(make_ip(i)) for i in san_ip_addresses]), critical= False, # Optional extensions are not critical if unsupported ) return csr_build.sign(csr_key, hashes.SHA256(), default_backend())
def build_csr(domain): try: private_key = serialization.load_pem_private_key( DOMAIN_KEY, None, default_backend()) except ValueError: private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) with open(DOMAIN_KEY, "wb") as f: f.write( private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption())) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.COMMON_NAME, unicode(domain)), ])).sign(private_key, hashes.SHA256(), default_backend()) return csr
def generate_csr(private_key, filename, **kwargs): subject = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, kwargs["country"]), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, kwargs["state"]), x509.NameAttribute(NameOID.LOCALITY_NAME, kwargs["locality"]), x509.NameAttribute(NameOID.ORGANIZATION_NAME, kwargs["org"]), x509.NameAttribute(NameOID.COMMON_NAME, kwargs["hostname"]), ]) # Generate any alternative dns names alt_names = [] for name in kwargs.get("alt_names", []): alt_names.append(x509.DNSName(name)) san = x509.SubjectAlternativeName(alt_names) builder = (x509.CertificateSigningRequestBuilder().subject_name( subject).add_extension(san, critical=False)) csr = builder.sign(private_key, hashes.SHA256(), default_backend()) with open(filename, "wb") as csrfile: csrfile.write(csr.public_bytes(serialization.Encoding.PEM)) return csr
def generate_certificate_signing_request(username, passphrase, key_file): """ Generate the certificate signing request for the new user in Kubernetes """ file_location = _ensure_cert_working_path() from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes key_bytes = None with open(key_file, "rb") as f: key_bytes = f.read() key = serialization.load_pem_private_key(key_bytes, bytes(passphrase, "utf-8"), default_backend()) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COMMON_NAME, u"{0}".format(username)), ])).sign(key, hashes.SHA256(), default_backend()) csr_file = Path(file_location).joinpath(f"{username}_csr.pem") # write CSR to file with open(csr_file, "wb") as f: f.write(csr.public_bytes(serialization.Encoding.PEM)) if csr_file.is_file(): return csr_file else: return None