【发布时间】:2018-11-07 07:02:06
【问题描述】:
有没有办法在 x509 中创建一个带有扩展名的替代发行人名称? 到目前为止我的代码:
from OpenSSL import crypto
def generate_self_signed_cert(cert_dir, is_valid=True):
"""Generate a SSL certificate.
If the cert_path and the key_path are present they will be overwritten.
"""
#Keys
private_key=crypto.load_privatekey(crypto.FILETYPE_PEM,open("/root/Desktop/Key2","rb").read())
public_key=crypto.load_publickey(crypto.FILETYPE_PEM,open("/root/Desktop/Key1","rb").read())
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = 't'
cert.get_subject().ST = 't'
cert.get_subject().L = 's'
cert.get_subject().O = 'd'
cert.get_subject().OU = 'g'
cert.get_subject().CN = 'g'
cert.set_serial_number(01)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(3655555555)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(public_key)
cert.add_extensions([
crypto.X509Extension("basicConstraints", False, "CA:FALSE"),
crypto.X509Extension("keyUsage", True, "Digital Signature, Non Repudiation"),
])
cert.set_version(2)
cert.sign(private_key, 'sha256')
with open(cert_dir+"Cert.cert", 'w+') as fd:
fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
generate_self_signed_cert("/root/Desktop/")
代码运行良好。我只需要添加一个替代发行人名称。这应该通过扩展来完成,对吧?
【问题讨论】:
-
是的。我不经常看到发行人替代名称,但主题替代名称非常常见。您确定不想要主题替代名称吗?
标签: python certificate x509certificate pyopenssl