python-2.7 – 使用pyopenssl创建自签名证书

概述我正在尝试使用pyopenssl生成ac自签名X509v3 CA证书. 我想要添加扩展权限密钥标识符(AKID)与包含主题密钥标识符(SKID)的keyid. 但我的以下代码块不会将SKID复制到AKID而是抛出异常. 请帮我解决这个问题:) 代码如下 import OpenSSLkey = OpenSSL.crypto.PKey()key.generate_key(OpenSSL.cryp 我正在尝试使用pyopenssl生成ac自签名X509v3 CA证书.
我想要添加扩展权限密钥标识符(AKID)与包含主题密钥标识符(SKID)的keyID.
但我的以下代码块不会将SKID复制到AKID而是抛出异常.
请帮我解决这个问题:)
代码如下

import OpenSSLkey = OpenSSL.crypto.PKey()key.generate_key(OpenSSL.crypto.TYPE_RSA,2048)ca = OpenSSL.crypto.X509()ca.set_version(2)ca.set_serial_number(1)ca.get_subject().CN = "ca.example.com"ca.gmtime_adj_notBefore(0)ca.gmtime_adj_notAfter(24 * 60 * 60)ca.set_issuer(ca.get_subject())ca.set_pubkey(key)ca.add_extensions([  OpenSSL.crypto.X509Extension("basicConstraints",True,"CA:TRUE,pathlen:0"),OpenSSL.crypto.X509Extension("keyUsage","keyCertSign,cRLSign"),OpenSSL.crypto.X509Extension("subjectKeyIDentifIEr",False,"hash",subject=ca),OpenSSL.crypto.X509Extension("authorityKeyIDentifIEr","keyID:always",issuer=ca)  ])ca.sign(key,"sha1")open("MyCertificate.crt.bin","wb").write(            OpenSSL.crypto.dump_certificate(OpenSSL.crypto.fileTYPE_ASN1,ca))

抛出的异常如下

Traceback (most recent call last):  file "C:\documents and Settings\administrator\Desktop\Certificate\certi.py",line 21,in <module>    OpenSSL.crypto.X509Extension("authorityKeyIDentifIEr",issuer=ca)Error: [('X509 V3 routines','V2I_AUTHORITY_KEYID','unable to get issuer keyID'),('X509 V3 routines','X509V3_EXT_nconf','error in extension')]

现在,如果我从代码的下面一行中的行keyID参数中删除“always”

OpenSSL.crypto.X509Extension(“authorityKeyIDentifIEr”,
“keyID”,issuer=ca)

我得到AKID keyID字段为空,它不包含SKID,如下所示

00:84:13:70:73:fe:29:61:5f:33:7d:b3:74:97:3b:            3a:f3:11:01:7c:b8:37:a8:8c:72:81:ee:92:fd:91:            8a:11:b3:b3:02:b4:97:d5:f8:1b:91:54:7e:15:49:            26:6d        Exponent: 65537 (0x10001)X509v3 extensions:    X509v3 Basic Constraints: critical        CA:TRUE,pathlen:0    X509v3 Key Usage: critical        Certificate Sign,CRL Sign    X509v3 Subject Key IDentifIEr:         CE:D1:31:DE:CF:E3:E2:BC:6C:73:3D:55:F0:88:53:0A:F1:DC:31:14    X509v3 Authority Key IDentifIEr:         0.Signature Algorithm: sha1WithRSAEncryption     0b:7b:28:f6:b9:1e:6e:ec:53:6a:c5:77:db:c5:3f:5e:1d:ab:     e5:43:73:eb:52:24:af:39:2b:aa:a3:f6:34:e1:92:4b:3b:5e:     b6:1

提前谢谢你.

解决方法 这意味着您使用的CA密钥没有设置subjectKeyIDentifIEr.

在您的示例中,您使用对ca的引用创建了authorityKeyIDentifIEr,该引用尚未设置subjectKeyIDentifIEr.

如果您将代码更改为：

ca.add_extensions([  OpenSSL.crypto.X509Extension("basicConstraints",])ca.add_extensions([  OpenSSL.crypto.X509Extension("authorityKeyIDentifIEr",issuer=ca)  ])

然后它工作.

总结

以上是内存溢出为你收集整理的python-2.7 – 使用pyopenssl创建自签名证书全部内容，希望文章能够帮你解决python-2.7 – 使用pyopenssl创建自签名证书所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。