From: Seth Vidal Date: Thu, 22 Apr 2010 21:07:59 +0000 (-0400) Subject: - add BasicConstraints CA:TRUE for a ca cert, false for the others X-Git-Tag: v0.28~15 X-Git-Url: https://pwan.org/git/?a=commitdiff_plain;h=8d70412c35fb1f0538577ec578e5f0568421dcf0;p=certmaster.git - add BasicConstraints CA:TRUE for a ca cert, false for the others - make signature digest sha - instead of md5 - make certs ver 3 not ver 1 - closes rh bug: https://bugzilla.redhat.com/show_bug.cgi?id=583047 --- diff --git a/certmaster/certs.py b/certmaster/certs.py index 554822e..81409f3 100644 --- a/certmaster/certs.py +++ b/certmaster/certs.py @@ -96,7 +96,11 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f cacert.set_issuer(careq.get_subject()) cacert.set_subject(careq.get_subject()) cacert.set_pubkey(careq.get_pubkey()) - cacert.sign(cakey, 'md5') + cacert.set_version(2) + xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE') + # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too) + cacert.add_extensions((xt,)) + cacert.sign(cakey, 'sha1') if ca_cert_file: destfo = open(ca_cert_file, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert)) @@ -134,7 +138,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None): cert.set_issuer(cacert.get_subject()) cert.set_subject(csr.get_subject()) cert.set_pubkey(csr.get_pubkey()) - cert.sign(cakey, 'md5') + cert.set_version(2) + xt = crypto.X509Extension('basicConstraints', False ,'CA:False') + # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too) + cacert.add_extensions((xt,)) + cert.sign(cakey, 'sha1') if slave_cert_file: destfo = open(slave_cert_file, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))