def create(cls, name, certificate):
"""
Create a TLS CA. The certificate must be compatible with OpenSSL
and be in PEM format. The certificate can be either a file with
the Root CA, or a raw string starting with BEGIN CERTIFICATE, etc.
When creating a TLS CA, you must also import the CA certificate. Once
the CA is created, it is possible to import a different certificate to
map to the CA if necessary.
:param str name: name of root CA
:param str,file certificate: The root CA contents
:raises CreateElementFailed: failed to create the root CA
:raises ValueError: if loading from file and no certificates present
:raises IOError: cannot find specified file for certificate
:rtype: TLSCertificateAuthority
"""
json = {
"name":
name,
"certificate":
certificate if pem_as_string(certificate) else
load_cert_chain(certificate)[0][1].decode("utf-8"),
}
return ElementCreator(cls, json)
def create(cls, name, certificate):
"""
Create a TLS CA. The certificate must be compatible with OpenSSL
and be in PEM format. The certificate can be either a file with
the Root CA, or a raw string starting with BEGIN CERTIFICATE, etc.
When creating a TLS CA, you must also import the CA certificate. Once
the CA is created, it is possible to import a different certificate to
map to the CA if necessary.
:param str name: name of root CA
:param str,file certificate: The root CA contents
:raises CreateElementFailed: failed to create the root CA
:raises ValueError: if loading from file and no certificates present
:raises IOError: cannot find specified file for certificate
:rtype: TLSCertificateAuthority
"""
json = {'name': name,
'certificate': certificate if pem_as_string(certificate) else \
load_cert_chain(certificate)[0][1].decode('utf-8')}
return ElementCreator(cls, json)
def import_from_chain(cls, name, certificate_file, private_key=None):
"""
Import the server certificate, intermediate and optionally private
key from a certificate chain file. The expected format of the chain
file follows RFC 4346.
In short, the server certificate should come first, followed by
any intermediate certificates, optionally followed by
the root trusted authority. The private key can be anywhere in this
order. See https://tools.ietf.org/html/rfc4346#section-7.4.2.
.. note:: There is no validation done on the certificates, therefore
the order is assumed to be true. In addition, the root certificate
will not be imported and should be separately imported as a trusted
root CA using :class:`~TLSCertificateAuthority.create`
If the certificate chain file has only two entries, it is assumed to
be the server certificate and root certificate (no intermediates). In
which case only the certificate is imported. If the chain file has
3 or more entries (all certificates), it will import the first as the
server certificate, 2nd as the intermediate and ignore the root cert.
You can optionally provide a seperate location for a private key file
if this is not within the chain file contents.
.. warning:: A private key is required to create a valid TLS Server
Credential.
:param str name: name of TLS Server Credential
:param str certificate_file: fully qualified path to chain file or file object
:param str private_key: fully qualified path to chain file or file object
:raises IOError: error occurred reading or finding specified file
:raises ValueError: Format issues with chain file or empty
:rtype: TLSServerCredential
"""
contents = load_cert_chain(certificate_file)
for pem in list(contents):
if b"PRIVATE KEY" in pem[0]:
private_key = pem[1]
contents.remove(pem)
if not private_key:
raise ValueError(
"Private key was not found in chain file and "
"was not provided. The private key is required to create a "
"TLS Server Credential.")
if contents:
if len(contents) == 1:
certificate = contents[0][1]
intermediate = None
else:
certificate = contents[0][1]
intermediate = contents[1][1]
else:
raise ValueError(
"No certificates found in certificate chain file. Did you "
"provide only a private key?")
tls = TLSServerCredential.create(name)
try:
tls.import_certificate(certificate)
tls.import_private_key(private_key)
if intermediate is not None:
tls.import_intermediate_certificate(intermediate)
except CertificateImportError:
tls.delete()
raise
return tls
def import_from_chain(cls, name, certificate_file, private_key=None):
"""
Import the server certificate, intermediate and optionally private
key from a certificate chain file. The expected format of the chain
file follows RFC 4346.
In short, the server certificate should come first, followed by
any intermediate certificates, optionally followed by
the root trusted authority. The private key can be anywhere in this
order. See https://tools.ietf.org/html/rfc4346#section-7.4.2.
.. note:: There is no validation done on the certificates, therefore
the order is assumed to be true. In addition, the root certificate
will not be imported and should be separately imported as a trusted
root CA using :class:`~TLSCertificateAuthority.create`
If the certificate chain file has only two entries, it is assumed to
be the server certificate and root certificate (no intermediates). In
which case only the certificate is imported. If the chain file has
3 or more entries (all certificates), it will import the first as the
server certificate, 2nd as the intermediate and ignore the root cert.
You can optionally provide a seperate location for a private key file
if this is not within the chain file contents.
.. warning:: A private key is required to create a valid TLS Server
Credential.
:param str name: name of TLS Server Credential
:param str certificate_file: fully qualified path to chain file or file object
:param str private_key: fully qualified path to chain file or file object
:raises IOError: error occurred reading or finding specified file
:raises ValueError: Format issues with chain file or empty
:rtype: TLSServerCredential
"""
contents = load_cert_chain(certificate_file)
for pem in list(contents):
if b'PRIVATE KEY' in pem[0]:
private_key = pem[1]
contents.remove(pem)
if not private_key:
raise ValueError('Private key was not found in chain file and '
'was not provided. The private key is required to create a '
'TLS Server Credential.')
if contents:
if len(contents) == 1:
certificate = contents[0][1]
intermediate = None
else:
certificate = contents[0][1]
intermediate = contents[1][1]
else:
raise ValueError('No certificates found in certificate chain file. Did you '
'provide only a private key?')
tls = TLSServerCredential.create(name)
try:
tls.import_certificate(certificate)
tls.import_private_key(private_key)
if intermediate is not None:
tls.import_intermediate_certificate(intermediate)
except CertificateImportError:
tls.delete()
raise
return tls