def mkreq(bits, ca=0, cn=cert_cn, c=cert_c):
pk = EVP.PKey()
x = X509.Request()
rsa = RSA.gen_key(bits, 65537, callback)
pk.assign_rsa(rsa)
x.set_pubkey(pk)
name = x.get_subject()
name.C = c
name.CN = cn
if not ca:
ext1 = X509.new_extension('subjectAltName', 'DNS:' + cn)
ext2 = X509.new_extension('nsComment', 'Hello there')
extstack = X509.X509_Extension_Stack()
extstack.push(ext1)
extstack.push(ext2)
x.add_extensions(extstack)
x.sign(pk, 'sha256')
assert x.verify(pk)
pk2 = x.get_pubkey()
assert x.verify(pk2)
return x, pk
def generate_and_sign_cert(req, pk, sign_key, issuer_cn, issuer_c):
pkey = req.get_pubkey()
sub = req.get_subject()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
nowPlusYear = ASN1.ASN1_UTCTIME()
nowPlusYear.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(nowPlusYear)
issuer = X509.X509_Name()
issuer.C = issuer_c
issuer.CN = issuer_cn
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
ext = X509.new_extension('basicConstraints', 'CA:TRUE')
cert.add_ext(ext)
cert.sign(sign_key, 'sha256')
return cert, pk, pkey