如何使用pyOpenSSL生成证书以使其安全连接?
[英]How to generate a certificate using pyOpenSSL to make it secure connection?
问题描述
I generate self-signed-cert 
我生成自签名证书
CA_KEY_FILE = os.path.join(settings.ROOT_CRT_PATH, 'rootCA.key')
CA_CERT_FILE = os.path.join(settings.ROOT_CRT_PATH, 'rootCA.crt')
def create_self_signed_cert_root(cleanned_data):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().C = cleanned_data['country']
cert.get_subject().ST = cleanned_data['state']
cert.get_subject().L = cleanned_data['location']
cert.get_subject().O = cleanned_data['organization']
if cleanned_data['organizational_unit_name']:
cert.get_subject().OU = cleanned_data['organizational_unit_name']
cert.get_subject().CN = cleanned_data['cn']
if cleanned_data['email']:
cert.get_subject().emailAddress = cleanned_data['email']
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
key_path = os.path.join(settings.MEDIA_ROOT, CA_KEY_FILE)
cert_path = os.path.join(settings.MEDIA_ROOT, CA_CERT_FILE)
if not os.path.exists(os.path.join(settings.MEDIA_ROOT, settings.ROOT_CRT_PATH)):
os.mkdir(os.path.join(settings.MEDIA_ROOT, settings.ROOT_CRT_PATH))
with open(cert_path, 'wb') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(key_path, 'wb') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
After that I generate a certificate signed by the first certificate 之后,我生成由第一个证书签名的证书
def create_signed_cert(cn):
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.path.join(settings.MEDIA_ROOT, CA_CERT_FILE)).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.path.join(settings.MEDIA_ROOT, CA_KEY_FILE)).read())
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().C = models.RootCrt.objects.first().country
cert.get_subject().ST = models.RootCrt.objects.first().state
cert.get_subject().L = models.RootCrt.objects.first().location
cert.get_subject().O = models.RootCrt.objects.first().organization
if models.RootCrt.objects.first().organizational_unit_name:
cert.get_subject().OU = models.RootCrt.objects.first().organizational_unit_name
cert.get_subject().CN = cn
if models.RootCrt.objects.first().email:
cert.get_subject().emailAddress = models.RootCrt.objects.first().email
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(k)
cert.sign(ca_key, 'sha256')
if not os.path.exists(os.path.join(settings.MEDIA_ROOT, cn)):
os.mkdir(os.path.join(settings.MEDIA_ROOT, cn))
with open(os.path.join(settings.MEDIA_ROOT, cn, cn + '.crt'), 'wb') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(settings.MEDIA_ROOT, cn, cn + '.key'), 'wb') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
But it does not work. 但这行不通。 After importing root certificate into the browser, I still get an insecure connection. 将根证书导入浏览器后,我仍然得到不安全的连接。 If I do it through the OpenSSL, then everything will work. 如果我通过OpenSSL进行操作,那么一切都会正常进行。
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt
openssl genrsa -out server101.mycloud.key 2048
openssl req -new -key server101.mycloud.key -out server101.mycloud.csr
openssl x509 -req -in server101.mycloud.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server101.mycloud.crt -days 5000
I do not understand why the connection is insecure 我不明白为什么连接不安全
1 个解决方案
解决方案1
1 2017-05-18 20:40:00
Decided the question. 决定了问题。 At first it was necessary to create a request, and after the certificate 首先,有必要创建一个请求,然后在证书之后
def create_signed_cert(cn):
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.path.join(settings.MEDIA_ROOT, CA_CERT_FILE)).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.path.join(settings.MEDIA_ROOT, CA_KEY_FILE)).read())
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert_req = crypto.X509Req()
cert_req.get_subject().C = models.RootCrt.objects.first().country
cert_req.get_subject().ST = models.RootCrt.objects.first().state
cert_req.get_subject().L = models.RootCrt.objects.first().location
cert_req.get_subject().O = models.RootCrt.objects.first().organization
if models.RootCrt.objects.first().organizational_unit_name:
cert_req.get_subject().OU = models.RootCrt.objects.first().organizational_unit_name
cert_req.get_subject().CN = cn
if models.RootCrt.objects.first().email:
cert_req.get_subject().emailAddress = models.RootCrt.objects.first().email
cert_req.set_pubkey(k)
cert_req.sign(ca_key, 'sha256')
cert = crypto.X509()
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(cert_req.get_subject())
cert.set_pubkey(cert_req.get_pubkey())
cert.sign(ca_key, 'sha256')
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
如何使用pyopenssl生成带有密码的pem密钥和证书? - How to generate pem key and certificate with password using pyopenssl?
如何使用pyOpenSSL制作文件CRL和吊销证书? - How to make file CRL and revoke certificate using pyOpenSSL?
使用pyOpenSSL从证书或其他连接信息中提取公钥 - Extract Public Key using pyOpenSSL from certificate or other connection information
如何在 pyOpenSSL 中验证证书签名? - How to verify certificate signature in pyOpenSSL?
如何使用python建立安全连接? - How to make secure connection with python?
使用PyOpenSSL提取X.509证书自定义扩展的值 - Extract the value of a X.509 certificate custom extension using PyOpenSSL
如何使用加密密钥建立安全的 ldap 连接? - How to make secure ldap connection with encrypted key?
如何使用 PyOpenSSL 获取公钥? - How to get public key using PyOpenSSL?
如何使用pyOpenSSL生成公钥和私钥? - How do I generate public and private keys with pyOpenSSL?
PyOpenSSL 引发错误加载证书 - PyOpenSSL throws error loading a certificate
相关标签