0

My task is to generate a pem key and certificate with password using pyopenssl or analogs.

The main implementation requirement must be on python.

With openssl, I do the following:

openssl req -new -days 365 -newkey rsa:1024 -x509 -keyout clientkey.pem -out clientcert.pem

and I specify the password online.

Andronicus
  • 25,419
  • 17
  • 47
  • 88
miol
  • 3
  • 1
  • 2

1 Answers1

1

According to your command with the password 12345678, your code should be :

from OpenSSL import crypto

TYPE_RSA = crypto.TYPE_RSA
TYPE_DSA = crypto.TYPE_DSA

def createKeyPair(type, bits):
   """
      Create a public/private key pair.
      Arguments: type - Key type, must be one of TYPE_RSA and TYPE_DSA
           bits - Number of bits to use in the key
      Returns:   The public/private key pair in a PKey object
   """
   pkey = crypto.PKey()
   pkey.generate_key(type, bits)
   return pkey

def createCertRequest(pkey, digest="md5", **name):
   """
      Create a certificate request.
      Arguments: pkey   - The key to associate with the request
           digest - Digestion method to use for signing, default is md5
           **name - The name of the subject of the request, possible
                    arguments are:
                      C     - Country name
                      ST    - State or province name
                      L     - Locality name
                      O     - Organization name
                      OU    - Organizational unit name
                      CN    - Common name
                      emailAddress - E-mail address
      Returns:   The certificate request in an X509Req object
   """
   req = crypto.X509Req()
   subj = req.get_subject()

   for (key, value) in name.items():
       setattr(subj, key, value)

   req.set_pubkey(pkey)
   req.sign(pkey, digest)
   return req

def createCertificate(req, issuerCertKey, serial, validityPeriod,
                  digest="sha256"):

   """
       Generate a certificate given a certificate request.
       Arguments: req        - Certificate request to use
           issuerCert - The certificate of the issuer
           issuerKey  - The private key of the issuer
           serial     - Serial number for the certificate
           notBefore  - Timestamp (relative to now) when the certificate
                        starts being valid
           notAfter   - Timestamp (relative to now) when the certificate
                        stops being valid
           digest     - Digest method to use for signing, default is sha256
     Returns:   The signed certificate in an X509 object
  """
  issuerCert, issuerKey = issuerCertKey
  notBefore, notAfter = validityPeriod
  cert = crypto.X509()
  cert.set_serial_number(serial)
  cert.gmtime_adj_notBefore(notBefore)
  cert.gmtime_adj_notAfter(notAfter)
  cert.set_issuer(issuerCert.get_subject())
  cert.set_subject(req.get_subject())
  cert.set_pubkey(req.get_pubkey())
  cert.sign(issuerKey, digest)
  return cert


if __name__ == "__main__":
    cakey = createKeyPair(TYPE_RSA, 1024)
    careq = createCertRequest(cakey, CN='Certificate Authority')
    cacert = createCertificate(careq, (careq, cakey),0, (0, 60 * 60 * 24 * 365))  # one year
    open('clientkey.pem', 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, cakey,passphrase='12345678'))
    open('clientcert.pem', 'w').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))

For more information see pyOpenssl

Ali Hallaji
  • 3,712
  • 2
  • 29
  • 36
  • Your code generates a key and certificate. But unfortunately without a password. – miol Feb 08 '19 at 10:51
  • You mean passphrase @miol – Ali Hallaji Feb 08 '19 at 11:05
  • Yes passphrase. I was not accurate. I found the answer "Dump the private key pkey into a buffer string encoded with the type type. Optionally (if type is FILETYPE_PEM) encrypting it using cipher and passphrase." – miol Feb 08 '19 at 11:26
  • This line `cacert = createCertificate(careq, (careq, cakey),0, (0, 60 * 60 * 24 * 365)) # one year` is unreadable – WhyWhat Jul 04 '20 at 21:05