def create_client_pair(self, o, cn):
"""Issue a X.509 client key/certificate pair"""
# key
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# cert
cert = crypto.X509()
cert.set_serial_number(self.__next_serial)
cert.set_version(2)
cert.set_pubkey(key)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365*24*60*60)
cert_subject = cert.get_subject()
cert_subject.O = o
cert_subject.OU = 'kOVHernetes'
cert_subject.CN = cn
cert.set_issuer(self.cert.get_issuer())
cert_ext = []
cert_ext.append(crypto.X509Extension(b'subjectKeyIdentifier', False, b'hash', cert))
cert_ext.append(crypto.X509Extension(b'authorityKeyIdentifier', False, b'keyid,issuer', issuer=cert))
cert_ext.append(crypto.X509Extension(b'basicConstraints', False, b'CA:FALSE'))
cert_ext.append(crypto.X509Extension(b'keyUsage', True, b'nonRepudiation, digitalSignature, keyEncipherment'))
cert_ext.append(crypto.X509Extension(b'extendedKeyUsage', True, b'clientAuth'))
cert.add_extensions(cert_ext)
# sign cert with CA key
cert.sign(self.key, 'sha256')
type(self).__next_serial += 1
return key, cert
评论列表
文章目录
