def_country = 'UN'
def_state = 'FC'
-def_local = 'Func-ytown'
-def_org = 'func'
+def_local = 'Certmaster-town'
+def_org = 'certmaster'
def_ou = 'slave-key'
return pkey
-def make_csr(pkey, dest=None, cn=None):
+def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None):
req = crypto.X509Req()
req.get_subject()
subj = req.get_subject()
subj.OU = def_ou
if cn:
subj.CN = cn
+ elif hostname:
+ subj.CN = hostname
else:
- subj.CN = utils.get_hostname()
- subj.emailAddress = 'root@%s' % subj.CN
+ subj.CN = utils.gethostname()
+
+ if emailaddr:
+ subj.emailAddress = emailaddr
+ else:
+ subj.emailAddress = 'root@%s' % subj.CN
req.set_pubkey(pkey)
req.sign(pkey, 'md5')
return cert
-def create_ca(CN="Func Certificate Authority", ca_key_file=None, ca_cert_file=None):
+def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None):
cakey = make_keypair(dest=ca_key_file)
careq = make_csr(cakey, cn=CN)
cacert = crypto.X509()
cacert.set_issuer(careq.get_subject())
cacert.set_subject(careq.get_subject())
cacert.set_pubkey(careq.get_pubkey())
- cacert.sign(cakey, 'md5')
+ cacert.set_version(2)
+ xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
+ # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+ cacert.add_extensions((xt,))
+ cacert.sign(cakey, 'sha1')
if ca_cert_file:
destfo = open(ca_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
cert.set_issuer(cacert.get_subject())
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
- cert.sign(cakey, 'md5')
+ cert.set_version(2)
+ xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
+ # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+ cacert.add_extensions((xt,))
+ cert.sign(cakey, 'sha1')
if slave_cert_file:
destfo = open(slave_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
destfo.close()
return cert
+
+def check_cert_key_match(cert, key):
+ if not isinstance(cert, crypto.X509Type):
+ cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+ if not isinstance(key, crypto.PKeyType):
+ key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
+
+ from OpenSSL import SSL
+ context = SSL.Context(SSL.SSLv3_METHOD)
+ try:
+ context.use_certificate(cert)
+ context.use_privatekey(key)
+ return True
+ except:
+ return False