1. 首頁
  2. 問答
  3. 使用pyopenssl創建自簽名證書

使用pyopenssl創建自簽名證書

2013-02-20 200 views
6

我正在嘗試使用pyopenssl生成ac自簽名X509v3 CA證書。 我想添加包含主題密鑰標識符(SKID)的keyid的擴展權限密鑰標識符(AKID)。 但我的下面的代碼塊不會將SKID複製到AKID,而是引發異常。 請幫我解決這個問題:) 的代碼如下使用pyopenssl創建自簽名證書

import OpenSSL 

key = OpenSSL.crypto.PKey() 
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) 

ca = OpenSSL.crypto.X509() 
ca.set_version(2) 
ca.set_serial_number(1) 
ca.get_subject().CN = "ca.example.com" 
ca.gmtime_adj_notBefore(0) 
ca.gmtime_adj_notAfter(24 * 60 * 60) 
ca.set_issuer(ca.get_subject()) 
ca.set_pubkey(key) 
ca.add_extensions([ 
    OpenSSL.crypto.X509Extension("basicConstraints", True, 
           "CA:TRUE, pathlen:0"), 
    OpenSSL.crypto.X509Extension("keyUsage", True, 
           "keyCertSign, cRLSign"), 
    OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", 
           subject=ca), 
    OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca) 
    ]) 
ca.sign(key, "sha1") 
open("MyCertificate.crt.bin", "wb").write(
      OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, ca))

拋出的異常是如下

Traceback (most recent call last): 
    File "C:\Documents and Settings\Administrator\Desktop\Certificate\certi.py", line 21, in <module> 
    OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca) 
Error: [('X509 V3 routines', 'V2I_AUTHORITY_KEYID', 'unable to get issuer keyid'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]

現在,如果我從線keyid的參數中刪除「總是」下面的代碼行

OpenSSL.crypto.X509Extension(「authorityKeyIdentifier」,False, 「keyid的」,發行人= CA)

我得到的AKID keyid的字段爲空,它不包含SKID如下圖所示

  00:84:13:70:73:fe:29:61:5f:33:7d:b3:74:97:3b: 
      3a:f3:11:01:7c:b8:37:a8:8c:72:81:ee:92:fd:91: 
      8a:11:b3:b3:02:b4:97:d5:f8:1b:91:54:7e:15:49: 
      26:6d 
     Exponent: 65537 (0x10001) 
X509v3 extensions: 
    X509v3 Basic Constraints: critical 
     CA:TRUE, pathlen:0 
    X509v3 Key Usage: critical 
     Certificate Sign, CRL Sign 
    X509v3 Subject Key Identifier: 
     CE:D1:31:DE:CF:E3:E2:BC:6C:73:3D:55:F0:88:53:0A:F1:DC:31:14 
    X509v3 Authority Key Identifier: 
     0. 
Signature Algorithm: sha1WithRSAEncryption 
    0b:7b:28:f6:b9:1e:6e:ec:53:6a:c5:77:db:c5:3f:5e:1d:ab: 
    e5:43:73:eb:52:24:af:39:2b:aa:a3:f6:34:e1:92:4b:3b:5e: 
    b6:1

感謝ü提前。

來源

2013-02-20 Britto

回答

7

這意味着您正在使用的CA密鑰沒有設置subjectKeyIdentifier。

在您的示例中,您正在使用對ca沒有設置subjectKeyIdentifier的ca的引用來創建authorityKeyIdentifier。

如果你改變你的代碼到:

ca.add_extensions([ 
    OpenSSL.crypto.X509Extension("basicConstraints", True, 
           "CA:TRUE, pathlen:0"), 
    OpenSSL.crypto.X509Extension("keyUsage", True, 
           "keyCertSign, cRLSign"), 
    OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", 
           subject=ca), 
    ]) 
ca.add_extensions([ 
    OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca) 
    ])

然後它工作。

來源

2013-03-29 23:25:09 V13

相關問題

 相關問題