3

using pyOpenSSL I want to create

  1. a key pair for self-signing
  2. a certificate signing request (csr)
  3. a self-signed-certificate

When I use the openSSL command line tool I used the following commands to do that:

  1. a key pair for self-signing

    openssl genrsa -out pkey.pem 2048

    openssl rsa -in pkey.pem -out public-pkey.pem -outform PEM -pubout

  2. a certificate signing request (csr)

    openssl req -new -key pkey.pem -subj "/C=US/O=XXX/CN=XXX" -days 365 -out csrrequest.csr

  3. a self-signed-certificate

    openssl x509 -in csrrequest.csr -req -signkey pkey.pem -days 365 -set_serial 0x12345 -sha256 -out selfsignedcert.pem

This works! Server accepts the self-signed certificate and returns a server-signed certificate.

For pyOpenSSL I use the following code:

  1. a key pair for self-signing

    psec = crypto.PKey()

    psec.generate_key(crypto.TYPE_RSA, 2048)

  2. a certificate signing request (csr)

    csrrequest = crypto.X509Req()

    csrrequest.get_subject().C = "US"

    csrrequest.get_subject().O = "XXX"

    csrrequest.get_subject().CN = "XXX"

    csrrequest.set_pubkey(psec)

  3. a self-signed-certificate

    selfsignedcert = crypto.X509()

    selfsignedcert.set_serial_number(12345)

    selfsignedcert.gmtime_adj_notBefore(0)

    selfsignedcert.gmtime_adj_notAfter(365*24*60*60)

    selfsignedcert.set_subject(csrrequest.get_subject())

    selfsignedcert.set_issuer(selfsignedcert.get_subject())

    selfsignedcert.set_pubkey(csrrequest.get_pubkey())

    selfsignedcert.sign(psec, "sha256")

This is not working! Server does not accept the self-signed certificate. The server is not able to sign and return a server-signed certificate.

By using pyOpenSSL, however, I miss the input of openssl x509 -in csrrequest.csr -req for the creation of the self-signed certificate...

Where is my fault? Does anyone know what I am doing wrong??

Thanks!

jww
  • 97,681
  • 90
  • 411
  • 885
Steve Murdock
  • 709
  • 1
  • 10
  • 20
  • See [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. I'm not sure how to do it with pyOpenSSL, however. – jww Apr 21 '17 at 17:51

2 Answers2

2

You need to sign the CSR with the private key (similar to a self-signed certificate, but the CA will replace this signature with its own signature in the final certificate).

Try csrrequest.sign(psec,"sha256")

James Birkett
  • 51
  • 3
0

What is it that is not working ?

I noticed that the times are set wrong

Instead of :

selfsignedcert.gmtime_adj_notBefore(0)

selfsignedcert.gmtime_adj_notAfter(365*24*60*60)

What if you tried

current_ts = int(datetime.datetime.now().timestamp())

selfsignedcert.gmtime_adj_notBefore(current_ts)

selfsignedcert.gmtime_adj_notAfter(current_ts + 365*24*60*60)
Hardik Sanghavi
  • 73
  • 3
  • 10