From 8d70412c35fb1f0538577ec578e5f0568421dcf0 Mon Sep 17 00:00:00 2001 From: Seth Vidal Date: Thu, 22 Apr 2010 17:07:59 -0400 Subject: [PATCH] - add BasicConstraints CA:TRUE for a ca cert, false for the others - make signature digest sha - instead of md5 - make certs ver 3 not ver 1 - closes rh bug: https://bugzilla.redhat.com/show_bug.cgi?id=583047 --- certmaster/certs.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/certmaster/certs.py b/certmaster/certs.py index 554822e..81409f3 100644 --- a/certmaster/certs.py +++ b/certmaster/certs.py @@ -96,7 +96,11 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f cacert.set_issuer(careq.get_subject()) cacert.set_subject(careq.get_subject()) cacert.set_pubkey(careq.get_pubkey()) - cacert.sign(cakey, 'md5') + cacert.set_version(2) + xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE') + # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too) + cacert.add_extensions((xt,)) + cacert.sign(cakey, 'sha1') if ca_cert_file: destfo = open(ca_cert_file, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert)) @@ -134,7 +138,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None): cert.set_issuer(cacert.get_subject()) cert.set_subject(csr.get_subject()) cert.set_pubkey(csr.get_pubkey()) - cert.sign(cakey, 'md5') + cert.set_version(2) + xt = crypto.X509Extension('basicConstraints', False ,'CA:False') + # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too) + cacert.add_extensions((xt,)) + cert.sign(cakey, 'sha1') if slave_cert_file: destfo = open(slave_cert_file, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) -- 2.39.5