pyOpenSSL创建一个pem文件

Question

I've created a key pair using the following code in python with pyOpenSSL:

from OpenSSL import crypto
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)

1. Now how can I create the private and public key .pem files from the key object?
2. If there is any tutorial available please let me know. I found none. From the manual, it's difficult to know as I'm new to OpenSSL.
3. What are the chances that the same code will create two same key pairs is there is no specific unique key is being used in RSA?

Answer 1

I hope this will help people in the future, because I had this same need and couldn't find an answer so I did it myself. Thought I would share it with you.

1. Creating a PEM file

bio_pub = _new_mem_buf()  # Memory buffers to write to
bio_priv = _new_mem_buf()

helper = OpenSSL.crypto._PassphraseHelper(OpenSSL.crypto.FILETYPE_PEM, None)

pk = OpenSSL.crypto.PKey()
pk.generate_key(OpenSSL.crypto.TYPE_RSA, n)

# Convert from EVP_PKEY type to RSA type
rsa_pkey = _lib.EVP_PKEY_get1_RSA(pk._pkey)


result_code = _lib.PEM_write_bio_RSAPublicKey(bio_pub, rsa_pkey)
result_code = _lib.PEM_write_bio_RSAPrivateKey(
    bio_priv, rsa_pkey, _ffi.NULL, _ffi.NULL, 0,
    helper.callback, helper.callback_args)

After this part you will have the public and private keys in your buffers. To get it as a string you can call the functions:

_bio_to_string(bio_pub), _bio_to_string(bio_priv)

I used these imports for the special "private" functions of OpenSSL.crypto:

import OpenSSL
from OpenSSL._util import lib as _lib, ffi as _ffi
from OpenSSL.crypto import _new_mem_buf, _bio_to_string

Answer 2

I know this is an old question - but as I've just found it I thought I'd add an answer.

The easiest way to do this with Python 3.x is to use PyCryptodome .

The in Python (for a 2048-bit key):

from Cryptodome.PublicKey import RSA
key = RSA.generate(2048)
pv_key_string = key.exportKey()
with open ("private.pem", "w") as prv_file:
    print("{}".format(pv_key_string.decode()), file=prv_file)

pb_key_string = key.publickey().exportKey()
 with open ("public.pem", "w") as pub_file:
    print("{}".format(pb_key_string.decode()), file=pub_file)

If you want to check the private key on the (Linux) command-line use:

$ openssl rsa -check -inform pem -noout -in private.pem 
RSA key ok
...

Answer 3

You can create a .pem key by follow this tutorial at:

https://help.ubuntu.com/community/OpenSSL

that suppose you want to create a CA(certificate authority) certificate, that is little complicate because you already have to get a CA from somewhere because it's not free.

if you only want to create a key juste for your ssl connection test it better to create a self-sign certificate.

then make sure first you have install openssl and you have resolve the CN (Common Name) on your serve. without that you will be in trouble to use the created certificate.

for the Self-sign certificate use this command line:

$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
$ openssl rsa -passin pass:x -in server.pass.key -out server.key
$ rm server.pass.key
$ openssl req -new -key server.key -out server.csr (list of question to answer)
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 

after you got the certificate create you have to activate your server mod-ssl and add the line where is locate your certificate. later you have to insert that certificate in your IE certificate list to get it work with you apache ssl connection daemon.