async def create_certs(self):
"""Create and set ownership for the certs to be used for internal ssl
Keyword Arguments:
alt_names (list): a list of alternative names to identify the
server by, see:
https://en.wikipedia.org/wiki/Subject_Alternative_Name
override: override the default_names with the provided alt_names
Returns:
dict: Path to cert files and CA
This method creates certs for use with the singleuser notebook. It
enables SSL and ensures that the notebook can perform bi-directional
SSL auth with the hub (verification based on CA).
If the singleuser host has a name or ip other than localhost,
an appropriate alternative name(s) must be passed for ssl verification
by the hub to work. For example, for Jupyter hosts with an IP of
10.10.10.10 or DNS name of jupyter.example.com, this would be:
alt_names=["IP:10.10.10.10"]
alt_names=["DNS:jupyter.example.com"]
respectively. The list can contain both the IP and DNS names to refer
to the host by either IP or DNS name (note the `default_names` below).
"""
from certipy import Certipy
default_names = ["DNS:localhost", "IP:127.0.0.1"]
alt_names = []
alt_names.extend(self.ssl_alt_names)
if self.ssl_alt_names_include_local:
alt_names = default_names + alt_names
self.log.info("Creating certs for %s: %s",
self._log_name,
';'.join(alt_names),
)
common_name = self.user.name or 'service'
certipy = Certipy(store_dir=self.internal_certs_location)
notebook_component = 'notebooks-ca'
notebook_key_pair = certipy.create_signed_pair(
'user-' + common_name,
notebook_component,
alt_names=alt_names,
overwrite=True
)
paths = {
"keyfile": notebook_key_pair['files']['key'],
"certfile": notebook_key_pair['files']['cert'],
"cafile": self.internal_trust_bundles[notebook_component],
}
return paths
def ssl_setup(cert_dir, authority_name):
# Set up the external certs with the same authority as the internal
# one so that certificate trust works regardless of chosen endpoint.
certipy = Certipy(store_dir=cert_dir)
alt_names = ["DNS:localhost", "IP:127.0.0.1"]
internal_authority = certipy.create_ca(authority_name, overwrite=True)
external_certs = certipy.create_signed_pair(
"external", authority_name, overwrite=True, alt_names=alt_names
)
return external_certs
def ssl_setup(cert_dir, authority_name):
# Set up the external certs with the same authority as the internal
# one so that certificate trust works regardless of chosen endpoint.
certipy = Certipy(store_dir=cert_dir)
alt_names = ["DNS:localhost", "IP:127.0.0.1"]
internal_authority = certipy.create_ca(authority_name, overwrite=True)
external_certs = certipy.create_signed_pair(
"external", authority_name, overwrite=True, alt_names=alt_names
)
return external_certs
def main():
describe_certipy = """
Certipy: Create simple, self-signed certificate authorities and certs.
"""
parser = argparse.ArgumentParser(description=describe_certipy)
parser.add_argument('name',
help="""Name of the cert to create,
defaults to creating a CA cert. If no signing
--ca-name specified.""")
parser.add_argument('--ca-name',
help="The name of the CA to sign this cert.",
default="")
parser.add_argument(
'--overwrite',
action="store_true",
help="If the cert already exists, bump the serial and overwrite it.")
parser.add_argument('--rm',
action="store_true",
help="Remove the cert specified by name.")
parser.add_argument('--cert-type',
default="rsa",
choices=['rsa', 'dsa'],
help="The type of cert to create.")
parser.add_argument('--bits',
type=int,
default=2048,
help="The number of bits to use.")
parser.add_argument('--valid',
type=int,
default=5,
help="Years the cert is valid for.")
parser.add_argument(
'--alt-names',
default="",
help="Alt names for the certificate (comma delimited).")
parser.add_argument('--store-dir',
default="out",
help="The location for the store and certs.")
args = parser.parse_args()
certipy = Certipy(store_dir=args.store_dir)
cert_type = crypto.TYPE_RSA if args.cert_type is "rsa" else crypto.TYPE_DSA
record = None
if args.rm:
try:
record = certipy.store.remove_files(args.name, delete_dir=True)
print("Deleted:")
for key, val in record.items():
print(key.upper(), val)
except CertificateAuthorityInUseError as e:
print("Unable to delete.", e)
sys.exit(0)
alt_names = None
if args.alt_names:
alt_names = [_.strip() for _ in args.alt_names.split(',')]
if args.ca_name:
ca_record = certipy.store.get_record(args.ca_name)
if ca_record:
try:
record = certipy.create_signed_pair(args.name,
args.ca_name,
cert_type=cert_type,
bits=args.bits,
years=args.valid,
alt_names=alt_names,
overwrite=args.overwrite)
except CertExistsError as e:
print(e)
else:
print("CA {} not found. Must specify an exisiting authority to"
" sign this cert.".format(args.ca_name))
else:
try:
record = certipy.create_ca(args.name,
cert_type=cert_type,
bits=args.bits,
years=args.valid,
alt_names=alt_names,
overwrite=args.overwrite)
except CertExistsError as e:
print(e)
if record:
for key, val in record.items():
print(key.upper(), val)
