def generate_ca(config_ca):
ca = crypto.X509()
ca.set_version(2)
ca.set_serial_number(config_ca['serial'])
ca_subj = ca.get_subject()
if 'commonName' in config_ca:
ca_subj.commonName = config_ca['commonName']
if 'stateOrProvinceName' in config_ca:
ca_subj.stateOrProvinceName = config_ca['stateOrProvinceName']
if 'localityName' in config_ca:
ca_subj.localityName = config_ca['localityName']
if 'organizationName' in config_ca:
ca_subj.organizationName = config_ca['organizationName']
if 'organizationalUnitName' in config_ca:
ca_subj.organizationalUnitName = config_ca['organizationalUnitName']
if 'emailAddress' in config_ca:
ca_subj.emailAddress = config_ca['emailAddress']
if 'countryName' in config_ca:
ca_subj.countryName = config_ca['countryName']
if 'validfrom' in config_ca:
ca.set_notBefore(config_ca['validfrom'])
if 'validto' in config_ca:
ca.set_notAfter(config_ca['validto'])
key = openssl_generate_privatekey(config_ca['keyfilesize'])
ca.add_extensions([
crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:1"),
crypto.X509Extension("keyUsage", False, "keyCertSign, cRLSign"),
crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca),
])
ca.add_extensions([
crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
])
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.sign(key, config_ca['hashalgorithm'])
return ca, key
评论列表
文章目录
