活动

天翼云最新优惠活动,涵盖免费试用,产品折扣等,助您降本增效!
热门活动
免费活动
  • 活动
  • 产品
  • 解决方案
  • 应用商城
  • 合作伙伴
  • 开发者
  • 算力套餐
  • 支持与服务
  • 了解天翼云
searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

使用python创建一个私有CA

SSL证书
2023-07-04 08:52:54
85
0

参考 OpenSSL Cookbook - Creating a Private Certification Authority,使用 OpenSSL 命令行可以创建一个私有CA。

本文则基于python的cryptography库,编写一个简单的私有CA,并用其来签发一套测试使用的证书。

创建自签发的root CA

普通证书的签发需要使用 CA的私钥对其进行私钥加密,root CA由于位于该条信任链的起始,只能使用自身的私钥对其进行签发,即自签发证书。

自签发证书遵循以下步骤

  1. 生成私钥
  2. 使用私钥对自身进行签发

genRootCA.py:

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime

# 生成 2048 位 rsa 私钥
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# 保存私钥到磁盘,并使用 key pass 进行加密
with open("rootca.key.secure", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.BestAvailableEncryption(b"12345678")
    ))

# Various details about who we are. For a self-signed certificate the
# subject and issuer are always the same.
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CN"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Sichuan"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Chengdu"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"ctyun elb"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"test root CA"),
])
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    # Our certificate will be valid for 1 years default
    datetime.datetime.utcnow() + datetime.timedelta(365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),
    critical=False,
# 使用root CA的私钥签发root CA证书
).sign(key, hashes.SHA256())
# 保存证书到磁盘
with open("rootca.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

执行程序

python3 genRootCA.py

得到受密码保护的RSA私钥(rootca.key.secure)和证书(rootca.pem)

使用root CA签发普通证书

root CA我们使用上一步得到的 rootca.key.secure 和 rootca.pem。

普通证书签发遵循以下步骤

  1. 加载CA私钥
  2. 生成私钥
  3. 使用CA私钥对证书进行签发

genCert.py:

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime

# 加载 root CA 的证书与私钥
with open("rootca.pem", 'rb') as f:
    datas = f.read()
    cacert = x509.load_pem_x509_certificate(datas)
with open("rootca.key.secure", 'rb') as f:
    datas = f.read()
    cakey = serialization.load_pem_private_key(datas,b'12345678')

# 生成 2048 位 rsa 私钥
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# 保存私钥到磁盘,并使用 key pass 进行加密
with open("www.example.com.key.secure", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.BestAvailableEncryption(b"12345678")
    ))

# 保存私钥到磁盘,不加密
with open("www.example.com.key.unsecure", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    ))

# Various details about who we are. For a self-signed certificate the
# subject and issuer are always the same.
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CN"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Sichuan"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Chengdu"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"ctyun elb"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"www.example.com"),
])
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    cacert.subject
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    # Our certificate will be valid for 1 years default
    datetime.datetime.utcnow() + datetime.timedelta(365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName(u"example.com")]),
    critical=False,
# 使用root CA的私钥签发root CA证书
).sign(cakey, hashes.SHA256())
# 保存证书到磁盘
with open("www.example.com.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

执行程序

python3 genCert.py

得到受密码保护的RSA私钥(www.example.com.key.secure)、不受密码保护的RSA私钥(www.example.com.key.unsecure)和证书(www.example.com.pem)

 

这里提供一个更加完善的程序:orzPrivateCA

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

0条评论
0 / 1000
renz2048
2文章数
0粉丝数
renz2048
2 文章 | 0 粉丝
Ta的热门文章查看更多
使用python创建一个私有CA证书与私钥基本操作
renz2048
2文章数
0粉丝数
renz2048
2 文章 | 0 粉丝
原创

使用python创建一个私有CA

SSL证书
2023-07-04 08:52:54
85
0

参考 OpenSSL Cookbook - Creating a Private Certification Authority,使用 OpenSSL 命令行可以创建一个私有CA。

本文则基于python的cryptography库,编写一个简单的私有CA,并用其来签发一套测试使用的证书。

创建自签发的root CA

普通证书的签发需要使用 CA的私钥对其进行私钥加密,root CA由于位于该条信任链的起始,只能使用自身的私钥对其进行签发,即自签发证书。

自签发证书遵循以下步骤

  1. 生成私钥
  2. 使用私钥对自身进行签发

genRootCA.py:

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime

# 生成 2048 位 rsa 私钥
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# 保存私钥到磁盘,并使用 key pass 进行加密
with open("rootca.key.secure", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.BestAvailableEncryption(b"12345678")
    ))

# Various details about who we are. For a self-signed certificate the
# subject and issuer are always the same.
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CN"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Sichuan"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Chengdu"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"ctyun elb"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"test root CA"),
])
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    # Our certificate will be valid for 1 years default
    datetime.datetime.utcnow() + datetime.timedelta(365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),
    critical=False,
# 使用root CA的私钥签发root CA证书
).sign(key, hashes.SHA256())
# 保存证书到磁盘
with open("rootca.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

执行程序

python3 genRootCA.py

得到受密码保护的RSA私钥(rootca.key.secure)和证书(rootca.pem)

使用root CA签发普通证书

root CA我们使用上一步得到的 rootca.key.secure 和 rootca.pem。

普通证书签发遵循以下步骤

  1. 加载CA私钥
  2. 生成私钥
  3. 使用CA私钥对证书进行签发

genCert.py:

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime

# 加载 root CA 的证书与私钥
with open("rootca.pem", 'rb') as f:
    datas = f.read()
    cacert = x509.load_pem_x509_certificate(datas)
with open("rootca.key.secure", 'rb') as f:
    datas = f.read()
    cakey = serialization.load_pem_private_key(datas,b'12345678')

# 生成 2048 位 rsa 私钥
key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# 保存私钥到磁盘,并使用 key pass 进行加密
with open("www.example.com.key.secure", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.BestAvailableEncryption(b"12345678")
    ))

# 保存私钥到磁盘,不加密
with open("www.example.com.key.unsecure", "wb") as f:
    f.write(key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    ))

# Various details about who we are. For a self-signed certificate the
# subject and issuer are always the same.
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"CN"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Sichuan"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Chengdu"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"ctyun elb"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"www.example.com"),
])
cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    cacert.subject
).public_key(
    key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    # Our certificate will be valid for 1 years default
    datetime.datetime.utcnow() + datetime.timedelta(365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName(u"example.com")]),
    critical=False,
# 使用root CA的私钥签发root CA证书
).sign(cakey, hashes.SHA256())
# 保存证书到磁盘
with open("www.example.com.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

执行程序

python3 genCert.py

得到受密码保护的RSA私钥(www.example.com.key.secure)、不受密码保护的RSA私钥(www.example.com.key.unsecure)和证书(www.example.com.pem)

 

这里提供一个更加完善的程序:orzPrivateCA

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

文章来自个人专栏
https
2 文章 | 1 订阅
0条评论
0 / 1000
请输入你的评论
0
0
售前咨询热线
400-810-9889转1
关注天翼云
  • 天翼云微信公众号
  • APP
    天翼云APP
服务与支持
账户管理
快速入口
云网生态
了解天翼云
热门产品
热门推荐
更多推荐
友情链接
©2024 天翼云科技有限公司版权所有 增值电信业务经营许可证A2.B1.B2-20090001
公司地址:北京市东城区青龙胡同甲1号、3号2幢2层205-32室
备案京公网安备11010802043424号京ICP备 2021034386号