Copyright (c) 2017-2020 Christer Byström
This package provides convinience methods for creating Certificate Authorities (CA), signing Certificate Signing Requests (CSR) and creating self-signed certificates.
This is intended to be used for developing purposes to quickly generate a root CA that can be used for signing test certificates instead of having to install each new test certificate that is being generated.
This package also supports using Subject Alternative Names for DNS and IP addresses, as the Common Name (CN) attribute of the subject will be deprecated at some point.
Under the hood the openssl cli is used.
Python 3.5 and above supported.
easyca.create_self_signed(dn=None, alt_names=None, days=90, newkey='rsa:2048')
Create a self-signed certificate.
- Parameters
- dn – a dictionary with configuration for distinguished name
- alt_names – a list of of Subject Alternative Names
- days – how many days in the future the CA will be valid
- newkey – key specification like ‘rsa:2048’
- Returns
a dict with the members success and message always set
class easyca.CA(ca_path=None, openssl_path=None)
Bases:
object
Certificate Authority, using an openssl CA folder structure as a flat-file database.
- Parameters
- ca_path – path where to create the required folder structure
- openssl_path – path of openssl binary to use
DB_VERSION = 1
ca_path
get_certificate(serial=None)
Get details of a signed certificate
- Parameters
serial – serial number of request
- Raises
LookupError – certificate with serial not found
- Returns
a dict with information
get_info()
Get information about the CA in ca_path.
- Parameters
ca_path – Path to Certificate Authority
- Returns
JSON object with status
get_request(serial=None)
Get details of a certificate signing request
- Parameters
serial – serial number of request
- Raises
LookupError – request with serial not found
- Returns
a dict with information
get_request_name_from_path(path)
initialize(dn=None, alt_names=None, days=90, newkey='rsa:2048')
Initialize a Certificate Authority. This creates a folder structure containing a root CA, public and private keys, and folders for Certificate Signing Requests and SignedCertificates.
- Parameters
- dn – a
DistinguishedName
ordict
- alt_names – a list of of Subject Alternative Names
- days – how many days in the future the CA will be valid
- newkey – key specification like ‘rsa:2048’
- Raises
- ValueError – missing value needed
- FileExistsErrror – a CA is alreay initialized at this location
- OpenSSLError – an error occurred calling openssl
- Returns
a dict with the members success and message always set
initialized
- Returns boolean
true if initialized
list_certificates()
Get a list of signed certificates
list_requests()
Get a list of Certificate Signing Requests.
- Returns
list – a list of {“id”: <id>, “last_modified”: <datastring>}
revoke_certificate(serial=None)
sign_request(csr=None, days=90)
Sign a Certificate Signing Request. This function carries over Subject Alternative Name entries from the request.
- Parameters
- csr – a string with the CSR in PEM format
- days – how many days in the future the certificate will be valid
- Raises
ValueError – when the input is not a certificate request
- Returns
a dict with the members success and message always set
updatedb()
Updates the database index to purge expired certificates.
class easyca.DistinguishedName(c=None, cn=None, email=None, l=None, o=None, ou=None, st=None)
Bases:
dict
Distinguished Name.
- Parameters
- c – Country/Region (two letters)
- cn – Common Name - hostname or dns
- email – Email address
- l – Locality
- o – Organization Name
- ou – Organizational Unit
- st – State or Province