Sign CSR from client using CA root certificate in python

python-2.7 openssl ssl-certificate m2crypto pyopenssl
nishi picture nishi · Apr 16, 2014 · Viewed 10.9k times · Source

I am new to python and still learning it so my question can be little naive. Please bear with it ;)

The problem is client will be sending CSR and I want to sign it with my CA root certificate and return the signed certificate back to client.

I have been using this command to do it using command line

openssl x509 -req -in device.csr -CA root.pem -CAkey root.key -CAcreateserial -out device.crt -days 500

same thing I want achieve using python. I have come across python library for openssl pyopenssl

is it possible using this library ? How ? or shoudl I go for M2Crypto ?

Answer

Harshawardhan picture Harshawardhan · Apr 16, 2014

You can indeed go with pyOpenSSL. As you are saying you already have CA root certificate and a private key, and CSR will be sent by a client then you can use functions of crypto to read all those ( CA cert, private key and Device CSR ) from file or manage to have them in buffer.

Use below functions to start with. Check dir(crypto) and crypto.function_name.__doc__on python interpreter for more info :) You need to import crypto from pyOpenSSL

  1. crypto.load_certificate_request() - to get device CSR obj
  2. crypto.load_privatekey() - to get private key obj for CA private key
  3. crypto.load_certificate() - to get CA root certificate

then you can write simple funcation to return certificate 

def create_cert():
    cert = crypto.X509()
    cert.set_serial_number(serial_no)
    cert.gmtime_adj_notBefore(notBeforeVal)
    cert.gmtime_adj_notAfter(notAfterVal)
    cert.set_issuer(caCert.get_subject())
    cert.set_subject(deviceCsr.get_subject())
    cert.set_pubkey(deviceCsr.get_pubkey())
    cert.sign(CAprivatekey, digest)
    return cert

where caCert , deviceCsr and CAprivatekey are values from above three funcations. Now that you have certificate with you, you can write this to a file using crypto.dump_certificate(crypto.FILETYPE_PEM, cert) with file name of your choice.

You can modify this function as per your requirement. After this you can verify generated device certificate with CA root certificate with openssl command e.g. openssl verify -CApath <CA cert path> <name of device cert file>

You can also go through few examples from github. M2Crypto Example , pyOpenSSL example

Hope this gives you idea about the implementation

Related questions

How to install OpenSSL for Python

I need to install OpenSSL on my python2.7. I tried $ pip install pyopenssl And I got the following /usr/local/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'zip_safe' warnings.warn(msg) running build running build_py running …

Read More
Iterating over dictionaries using 'for' loops

I am a bit puzzled by the following code: d = {'x': 1, 'y': 2, 'z': 3} for key in d: print key, 'corresponds to', d[key] What I don't understand is the key portion. How does Python recognize that it needs only to …

Read More
What is the result of % in Python?

What does the % in a calculation? I can't seem to work out what it does. Does it work out a percent of the calculation for example: 4 % 2 is apparently equal to 0. How?

Read More