python编程应用证书_python-2.7 – 使用pyopenssl创建自签名证书

我正在尝试使用pyopenssl生成ac自签名X509v3 CA证书.

我想要添加扩展权限密钥标识符(AKID)与包含主题密钥标识符(SKID)的keyid.

但我的以下代码块不会将SKID复制到AKID而是抛出异常.

请帮我解决这个问题:)

代码如下

import OpenSSL

key = OpenSSL.crypto.PKey()

key.generate_key(OpenSSL.crypto.TYPE_RSA,2048)

ca = OpenSSL.crypto.X509()

ca.set_version(2)

ca.set_serial_number(1)

ca.get_subject().CN = "ca.example.com"

ca.gmtime_adj_notBefore(0)

ca.gmtime_adj_notAfter(24 * 60 * 60)

ca.set_issuer(ca.get_subject())

ca.set_pubkey(key)

ca.add_extensions([

OpenSSL.crypto.X509Extension("basicConstraints",True,"CA:TRUE,pathlen:0"),OpenSSL.crypto.X509Extension("keyUsage","keyCertSign,cRLSign"),OpenSSL.crypto.X509Extension("subjectKeyIdentifier",False,"hash",subject=ca),OpenSSL.crypto.X509Extension("authorityKeyIdentifier","keyid:always",issuer=ca)

])

ca.sign(key,"sha1")

open("MyCertificate.crt.bin","wb").write(

OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1,ca))

抛出的异常如下

Traceback (most recent call last):

File "C:\Documents and Settings\Administrator\Desktop\Certificate\certi.py",line 21,in

OpenSSL.crypto.X509Extension("authorityKeyIdentifier",issuer=ca)

Error: [('X509 V3 routines','V2I_AUTHORITY_KEYID','unable to get issuer keyid'),('X509 V3 routines','X509V3_EXT_nconf','error in extension')]

现在,如果我从代码的下面一行中的行keyid参数中删除“always”

OpenSSL.crypto.X509Extension(“authorityKeyIdentifier”,

“keyid”,issuer=ca)

我得到AKID keyid字段为空,它不包含SKID,如下所示

00:84:13:70:73:fe:29:61:5f:33:7d:b3:74:97:3b:

3a:f3:11:01:7c:b8:37:a8:8c:72:81:ee:92:fd:91:

8a:11:b3:b3:02:b4:97:d5:f8:1b:91:54:7e:15:49:

26:6d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE,pathlen:0

X509v3 Key Usage: critical

Certificate Sign,CRL Sign

X509v3 Subject Key Identifier:

CE:D1:31:DE:CF:E3:E2:BC:6C:73:3D:55:F0:88:53:0A:F1:DC:31:14

X509v3 Authority Key Identifier:

0.

Signature Algorithm: sha1WithRSAEncryption

0b:7b:28:f6:b9:1e:6e:ec:53:6a:c5:77:db:c5:3f:5e:1d:ab:

e5:43:73:eb:52:24:af:39:2b:aa:a3:f6:34:e1:92:4b:3b:5e:

b6:1

提前谢谢你.