cottonbeckfield / python-csr Goto Github PK

View Code? Open in Web Editor NEW

41.0 4.0 26.0 44 KB

Generate a CSR/Key via Python

Python 100.00%

python openssl certificate csr

python-csr's Introduction

python-csr

Purpose

Generate a key, self-signed certificate, and certificate request.

Information

This script is for Python 2.7. Due to how the input() function has changed between python2 and python3, this script is not backwards compatible at this time.

Installation / Dependencies

The following modules are required:

OpenSSL (pyopenssl)
Argparse (argparse)
YAML (pyyaml)

I've included a setup.py that will install these dependencies if you have the setuptools python package and run:

python setup.py install

Usage

./csrgen -n [fqdn]

Note: you could always use '-h' in order to get some informations ;)

user@host> ./csrgen.py -h
usage: csrgen.py [-h] [-v] [-d] [-l LOG] [-n NAME] [-s [SAN [SAN ...]]]
                 [-k KEYSIZE] [-u UNATTENDED] [-f FILE] [-a] [-c]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Output more infos
  -d, --debug           Enable debug mode
  -l LOG, --log LOG     Define log file (default: /var/log/certGen.log)
  -n NAME, --name NAME  Provide the FQDN
  -s [SAN [SAN ...]], --san [SAN [SAN ...]]
                        SANS, define alternative names
  -k KEYSIZE, --keysize KEYSIZE
                        Provide the key size
  -u UNATTENDED, --unattended UNATTENDED
                        Load CSR predefined options
  -f FILE, --file FILE  Load hosts file (CN and optional Alternate Names) list
  -a, --authority       Generate Authority certificate (Default is server)
  -c, --client          Generate client certificate (Default is server)

Basic usage would be

./csrgen -n test.test.com

When more than one hostname is provided, a SAN (Subject Alternate Name) certificate and request are generated. This can be acheived by adding a -s.

csrgen -s

./csrgen -n test.test.com -s mushu.test.com pushu.test.com

You can pass a yaml file as arguments to pre-fill your CSR values (C, ST, L, O, OU). Basically any attribute defined in the YAML file will be set in the certificate. On exception: if you force the hostname with -n parameter, it will override the 'Hostname' set in YAML file.

./csrgen -f sample.yaml -u csr.yaml

Debug options

A debug option (-d) and a verbose flag (-v) are available. If in any case you want to check the content of generated files, here is a quick cheat-sheet...

To read a CSR

openssl req -in test.test.com.csr -noout -text

To read a Certificate (CER)

openssl x509 -in test.test.com.cer -noout -text

To read a Certificate (PEM)

openssl x509 -inform pem -in test.test.com.cer -noout -text

TODO

Validate python3 compatibility
Finish SubClass Authority to generate a CA certificate (-x)
Create csrsign.py to sign a csr based on CA certificate and newly generated .csr
Implement Unit Tests

python-csr's People

Contributors

Stargazers

Watchers

python-csr's Issues

adding custom extension to CSR request

Could you please explain how we could add custom OID extension in this code ?

runtime error, TypeError: initializer for ctype 'char *' must be a bytes or list or tuple, not str

python ./csrgen35.py host.domain.com -s host2.domain.com
Enter your Country Name (2 letter code) [US]: US
Enter your State or Province []:California: Maryland
Enter your (Locality Name (eg, city) []:San Francisco: Rockville
Enter your Organization Name (eg, company) []:FTW Enterprise: TestCompany
Enter your Organizational Unit (eg, section) []:IT: IT
Traceback (most recent call last):
File "./csrgen35.py", line 142, in
generateCSR(hostname,sans)
File "./csrgen35.py", line 82, in generateCSR
san_constraint = crypto.X509Extension(b"subjectAltName", False, ss)
File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/OpenSSL/crypto.py", line 775, in init
extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
TypeError: initializer for ctype 'char *' must be a bytes or list or tuple, not str

Python 3 Support

Hello! I needed a script for this and bumped into your code.

I just ported csrgen to Python 3, and added the option to add IP Address SANS to the CSR.

I'd like to create a pull request, but could not create a new branch and push my changes. Can you help me with that?

Thanks!
Diego

Looks like program is incomplete

[root@ip-10-0-0-225 python-csr]# ./csr_tools/csrgen.py -f sample.yaml -u csr.yaml
Enter your Common Name (eg, DNS name) [ip-10-0-0-225]:
Traceback (most recent call last):
File "./csr_tools/csrgen.py", line 406, in
main(sys.argv)
File "./csr_tools/csrgen.py", line 395, in main
cert.generateFromFile(args.file)
AttributeError: Certificate instance has no attribute 'generateFromFile'

Improve prompts and handle empty user input in prompts

I think it would be good if the prompts showed example input, similar to the openssl

Enter your country (2 letter code) [US]:

also, if you don't enter something when prompted current the script errors,

OU = raw_input("Enter your organizational unit: ")
...
req.get_subject().organizationalUnitName = OU

Update README.md to show python dependencies

When I tried to run for the first time I got

ImportError: No module named OpenSSL

pip install pyOpenSSL resolved it on Mac OS X,

Perhaps update the README to show python dependencies?