def self_signed_cert_gen(
key_type=crypto.TYPE_RSA,
key_bits=4096,
country="US",
state_province="California",
locality="San Francisco",
org="Your Company",
org_unit="Team",
common_name="www.domain.com",
subject_alt_names=[], # alternative dns names as list
# ^ must look like: ["DNS:*.domain.com", "DNS:domain.ym"]
validity_days=10 * 365):
# Create a key pair
k = crypto.PKey()
k.generate_key(key_type, key_bits)
# Create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = country
cert.get_subject().ST = state_province
cert.get_subject().L = locality
cert.get_subject().O = org
cert.get_subject().OU = org_unit
cert.get_subject().CN = common_name
if subject_alt_names:
subject_alt_names = ", ".join(subject_alt_names).encode("utf-8")
cert.add_extensions([
crypto.X509Extension("subjectAltName".encode("utf-8"), False,
subject_alt_names)
])
cert.set_serial_number(random.getrandbits(64))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(validity_days * 24 * 60 * 60)
cert.set_issuer(cert.get_subject()) # self-signer
cert.set_pubkey(k)
cert.sign(k, 'sha1')
# return a tuple of the private key and the self-signed cert
return (crypto.dump_privatekey(crypto.FILETYPE_PEM, k),
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
评论列表
文章目录