Copyright (c) 2017-2020 Christer Byström
This package provides convinience methods for creating Certificate Authorities (CA), signing Certificate Signing Requests (CSR) and creating self-signed certificates.
This is intended to be used for developing purposes to quickly generate a root CA that can be used for signing test certificates instead of having to install each new test certificate that is being generated.
This package also supports using Subject Alternative Names for DNS and IP addresses, as the Common Name (CN) attribute of the subject will be deprecated at some point.
Under the hood the openssl cli is used.
Python 3.5 and above supported.
easyca.create_self_signed(dn=None, alt_names=None, days=90, newkey='rsa:2048')
Create a self-signed certificate.
Parameters:
- dn – a dictionary with configuration for distinguished name
- alt_names – a list of of Subject Alternative Names
- days – how many days in the future the CA will be valid
- newkey – key specification like ‘rsa:2048’
Returns: a dict with the members success and message always set
class easyca.CA(ca_path=None, openssl_path=None)
Bases:
object
Certificate Authority, using an openssl CA folder structure as a flat-file database.
Parameters:
- ca_path – path where to create the required folder structure
- openssl_path – path of openssl binary to use
DB_VERSION = 1
ca_path
get_certificate(serial=None)
Get details of a signed certificate
Parameters: serial – serial number of request Raises: LookupError – certificate with serial not found Returns: a dict with information get_info()
Get information about the CA in ca_path.
Parameters: ca_path – Path to Certificate Authority Returns: JSON object with status get_request(serial=None)
Get details of a certificate signing request
Parameters: serial – serial number of request Raises: LookupError – request with serial not found Returns: a dict with information get_request_name_from_path(path)
initialize(dn=None, alt_names=None, days=90, newkey='rsa:2048')
Initialize a Certificate Authority. This creates a folder structure containing a root CA, public and private keys, and folders for Certificate Signing Requests and SignedCertificates.
Parameters:
- dn – a
DistinguishedName
ordict
- alt_names – a list of of Subject Alternative Names
- days – how many days in the future the CA will be valid
- newkey – key specification like ‘rsa:2048’
Raises:
- ValueError – missing value needed
- FileExistsErrror – a CA is alreay initialized at this location
- OpenSSLError – an error occurred calling openssl
Returns: a dict with the members success and message always set
initialized
Returns boolean: true if initialized list_certificates()
Get a list of signed certificateslist_requests()
Get a list of Certificate Signing Requests.
Returns: list – a list of {“id”: <id>, “last_modified”: <datastring>} revoke_certificate(serial=None)
sign_request(csr=None, days=90)
Sign a Certificate Signing Request. This function carries over Subject Alternative Name entries from the request.
Parameters:
- csr – a string with the CSR in PEM format
- days – how many days in the future the certificate will be valid
Raises: ValueError – when the input is not a certificate request
Returns: a dict with the members success and message always set
updatedb()
Updates the database index to purge expired certificates.
class easyca.DistinguishedName(c=None, cn=None, email=None, l=None, o=None, ou=None, st=None)
Bases:
dict
Distinguished Name.
Parameters:
- c – Country/Region (two letters)
- cn – Common Name - hostname or dns
- email – Email address
- l – Locality
- o – Organization Name
- ou – Organizational Unit
- st – State or Province