Python 2.7 使用pyopenssl创建自签名证书
我正在尝试使用pyopenssl生成ac自签名X509v3 CA证书。 我想添加扩展权限密钥标识符(AKID),其中keyid包含主题密钥标识符(SKID) 但我下面的代码块并没有将滑动复制到AKID,而是抛出了一个异常 代码如下Python 2.7 使用pyopenssl创建自签名证书,python-2.7,openssl,x509certificate,self-signed,pyopenssl,Python 2.7,Openssl,X509certificate,Self Signed,Pyopenssl,我正在尝试使用pyopenssl生成ac自签名X509v3 CA证书。 我想添加扩展权限密钥标识符(AKID),其中keyid包含主题密钥标识符(SKID) 但我下面的代码块并没有将滑动复制到AKID,而是抛出了一个异常 代码如下 import OpenSSL key = OpenSSL.crypto.PKey() key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) ca = OpenSSL.crypto.X509() ca.set_version
import OpenSSL
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
ca = OpenSSL.crypto.X509()
ca.set_version(2)
ca.set_serial_number(1)
ca.get_subject().CN = "ca.example.com"
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True,
"CA:TRUE, pathlen:0"),
OpenSSL.crypto.X509Extension("keyUsage", True,
"keyCertSign, cRLSign"),
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
subject=ca),
OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
])
ca.sign(key, "sha1")
open("MyCertificate.crt.bin", "wb").write(
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, ca))
Traceback (most recent call last):
File "C:\Documents and Settings\Administrator\Desktop\Certificate\certi.py", line 21, in <module>
OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
Error: [('X509 V3 routines', 'V2I_AUTHORITY_KEYID', 'unable to get issuer keyid'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]
抛出的异常如下所示
import OpenSSL
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
ca = OpenSSL.crypto.X509()
ca.set_version(2)
ca.set_serial_number(1)
ca.get_subject().CN = "ca.example.com"
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True,
"CA:TRUE, pathlen:0"),
OpenSSL.crypto.X509Extension("keyUsage", True,
"keyCertSign, cRLSign"),
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
subject=ca),
OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
])
ca.sign(key, "sha1")
open("MyCertificate.crt.bin", "wb").write(
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, ca))
Traceback (most recent call last):
File "C:\Documents and Settings\Administrator\Desktop\Certificate\certi.py", line 21, in <module>
OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
Error: [('X509 V3 routines', 'V2I_AUTHORITY_KEYID', 'unable to get issuer keyid'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]
这意味着您正在使用的CA密钥未设置subjectKeyIdentifier 在您的示例中,您正在使用尚未设置subjectKeyIdentifier的ca引用创建authorityKeyIdentifier 如果您将代码a更改为:
ca.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True,
"CA:TRUE, pathlen:0"),
OpenSSL.crypto.X509Extension("keyUsage", True,
"keyCertSign, cRLSign"),
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
subject=ca),
])
ca.add_extensions([
OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
])
然后它就起作用了