Sign CSR from client using CA root certificate in python

nishi picture nishi · Apr 16, 2014 · Viewed 10.9k times · Source

I am new to python and still learning it so my question can be little naive. Please bear with it ;)

The problem is client will be sending CSR and I want to sign it with my CA root certificate and return the signed certificate back to client.

I have been using this command to do it using command line

openssl x509 -req -in device.csr -CA root.pem -CAkey root.key -CAcreateserial -out device.crt -days 500

same thing I want achieve using python. I have come across python library for openssl pyopenssl

is it possible using this library ? How ? or shoudl I go for M2Crypto ?

Answer

Harshawardhan picture Harshawardhan · Apr 16, 2014

You can indeed go with pyOpenSSL. As you are saying you already have CA root certificate and a private key, and CSR will be sent by a client then you can use functions of crypto to read all those ( CA cert, private key and Device CSR ) from file or manage to have them in buffer.

Use below functions to start with. Check dir(crypto) and crypto.function_name.__doc__on python interpreter for more info :) You need to import crypto from pyOpenSSL

  1. crypto.load_certificate_request() - to get device CSR obj
  2. crypto.load_privatekey() - to get private key obj for CA private key
  3. crypto.load_certificate() - to get CA root certificate

then you can write simple funcation to return certificate

def create_cert():
    cert = crypto.X509()
    cert.set_serial_number(serial_no)
    cert.gmtime_adj_notBefore(notBeforeVal)
    cert.gmtime_adj_notAfter(notAfterVal)
    cert.set_issuer(caCert.get_subject())
    cert.set_subject(deviceCsr.get_subject())
    cert.set_pubkey(deviceCsr.get_pubkey())
    cert.sign(CAprivatekey, digest)
    return cert

where caCert , deviceCsr and CAprivatekey are values from above three funcations. Now that you have certificate with you, you can write this to a file using crypto.dump_certificate(crypto.FILETYPE_PEM, cert) with file name of your choice.

You can modify this function as per your requirement. After this you can verify generated device certificate with CA root certificate with openssl command e.g. openssl verify -CApath <CA cert path> <name of device cert file>

You can also go through few examples from github. M2Crypto Example , pyOpenSSL example

Hope this gives you idea about the implementation