使用 python 加密证书生成器向证书添加 arbitrary/deprecated 扩展
Add an arbitrary/deprecated extension to a certificate using python cryptography certificate builder
我正在尝试在 python 中创建之前使用 openssl ca 命令构建的证书。一切都完美无缺,除了一件事:我需要添加“nsCertType”扩展,它似乎已被弃用。但是,我找不到添加任意证书扩展的方法。 for go,甚至指定了使用 OpenSSL 的 python 的解决方案,但是我无法弄清楚没有 OpenSSL 时该怎么做。这是我的代码:
inter_server_cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
inter_ca_cert.issuer
).public_key(
inter_server_key.public_key()
).serial_number(
x509.random_serial_number
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=duration_rootca)
).add_extension(
x509.BasicConstraints(
ca=False, path_length=0
),
critical=True
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(inter_server_key.public_key()),
critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(authority_key_identifier.value),
critical=False
).add_extension(
x509.KeyUsage(
key_cert_sign=False,
crl_sign=False,
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=True,
encipher_only=False,
decipher_only=False
),
critical=False
).add_extension(
x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]),
critical=False
).sign(inter_ca_key, hashes.SHA256(), default_backend())
您可以使用 UnrecognizedExtension. This is not directly documented, but you can see an example of it in use in the tests (https://github.com/pyca/cryptography/blob/3367c18bf2e71639843e38498f5ad2159835122d/tests/x509/test_x509.py#L3327).
在 cryptography 中编码任意扩展名
请注意,您必须以字节形式提供 OID 和已经 DER 编码的负载。如果您有包含所需值的样本证书,您可以对其进行解析以获得正确的序列。
我正在尝试在 python 中创建之前使用 openssl ca 命令构建的证书。一切都完美无缺,除了一件事:我需要添加“nsCertType”扩展,它似乎已被弃用。但是,我找不到添加任意证书扩展的方法。
inter_server_cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
inter_ca_cert.issuer
).public_key(
inter_server_key.public_key()
).serial_number(
x509.random_serial_number
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=duration_rootca)
).add_extension(
x509.BasicConstraints(
ca=False, path_length=0
),
critical=True
).add_extension(
x509.SubjectKeyIdentifier.from_public_key(inter_server_key.public_key()),
critical=False
).add_extension(
x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(authority_key_identifier.value),
critical=False
).add_extension(
x509.KeyUsage(
key_cert_sign=False,
crl_sign=False,
digital_signature=True,
content_commitment=False,
key_encipherment=True,
data_encipherment=False,
key_agreement=True,
encipher_only=False,
decipher_only=False
),
critical=False
).add_extension(
x509.ExtendedKeyUsage([x509.oid.ExtendedKeyUsageOID.SERVER_AUTH]),
critical=False
).sign(inter_ca_key, hashes.SHA256(), default_backend())
您可以使用 UnrecognizedExtension. This is not directly documented, but you can see an example of it in use in the tests (https://github.com/pyca/cryptography/blob/3367c18bf2e71639843e38498f5ad2159835122d/tests/x509/test_x509.py#L3327).
在cryptography 中编码任意扩展名
请注意,您必须以字节形式提供 OID 和已经 DER 编码的负载。如果您有包含所需值的样本证书,您可以对其进行解析以获得正确的序列。