1. 技术文章
  2. Is it possible to set subjectAltName using pyOpenSSL?

Is it possible to set subjectAltName using pyOpenSSL?

半城伤御伤魂 提交于 2021-02-04 18:50:30

问题


I need to generate SSL certificates from Python using pyOpenSSL. Does anyone know if it's possible to set subjectAltName? From the documentation (https://pythonhosted.org/pyOpenSSL/api/crypto.html#x509-objects) it doesn't seem so. In fact, only a set_subject method is provided. Is there any way to add that to the certificate?


回答1:


san_list = ["DNS:*.google.com", "DNS:google.ym"]
cert.add_extensions([
    OpenSSL.crypto.X509Extension(
        "subjectAltName", False, ", ".join(san_list)
   )
])



回答2:


I thought I would expand on Vans S's answer as I've been going insane trying to work out why my csrgen script isn't working and I've finally cracked it. Sadly this wasn't obvious (to me) at all. Normally I'd not care, as most of my certificates are one name per cert, so the CN in the subject is usually fine. However now that Chrome won't accept certificates without the SANs set (and assuming FF/IE will follow soon if not already) this is a show-stopper now.

My Python 3 looked like this (where self is a class which inherits from crypto.X509Req).

# Add base constraints
self.add_extensions([
    crypto.X509Extension(
        b"keyUsage", False,
        b"Digital Signature, Non Repudiation, Key Encipherment"),
    crypto.X509Extension(
        b"basicConstraints", False, b"CA:FALSE"),
    crypto.X509Extension(
        b'extendedKeyUsage', False, b'serverAuth, clientAuth'),
])

# If there are multiple names, add them all as SANs.
if self.sans:
    self.add_extensions([crypto.X509Extension(
        b"subjectAltName", False, self.sans.encode())])

Which to me looks like it should work. It runs, produces no errors, produces no warnings, and generates a CSR and a key pair, but the CSR doesn't have a SAN extension.

The solution? X509Req().add_extensions() only works once! The second time I'm calling it here seems to do absolutely nothing. So the following works.

# Add all extensions in one go as only the first call to 
# add_extensions actually does anything. Subsequent calls will fail 
# silently.
self.add_extensions([
    crypto.X509Extension(
        b"keyUsage", False,
        b"Digital Signature, Non Repudiation, Key Encipherment"),
    crypto.X509Extension(
        b"basicConstraints", False, b"CA:FALSE"),
    crypto.X509Extension(
        b'extendedKeyUsage', False, b'serverAuth, clientAuth'),
    crypto.X509Extension(
        b"subjectAltName", False, self.sans.encode())
])



回答3:


I eventually solved it. I'd missed that subjectAltName is considered a standard extension. So it can be added using pyOpenSSL's method add_extensions.

More info can be found at https://www.openssl.org/docs/apps/x509v3_config.html#STANDARD_EXTENSIONS



来源:https://stackoverflow.com/questions/24475768/is-it-possible-to-set-subjectaltname-using-pyopenssl

标签
python
ssl
OpenSSL
pyopenssl
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!