Skip to content
Snippets Groups Projects
Commit b79fc75a authored by Nicolas KAROLAK's avatar Nicolas KAROLAK
Browse files

mkcert: create ecc cert by default

parent e11b5e47
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 36 additions and 7 deletions
utils.py
+ 36
7
View file @ b79fc75a
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
from collections import OrderedDict from collections import OrderedDict
import os import os
from pathlib import Path
import subprocess import subprocess
import sys import sys
from typing import Any from typing import Any
...@@ -346,25 +347,53 @@ subjectKeyIdentifier = hash ...@@ -346,25 +347,53 @@ subjectKeyIdentifier = hash
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ] [ alternate_names ]
""" """
def mkcert(domains: list, keysize: int = 4096, days: int = 1825, config_tpl: str = OPENSSL_CONFIG_TEMPLATE): def mkcert(domains: list, ecc: bool = True, days: int = 3650, config_tpl: str = OPENSSL_CONFIG_TEMPLATE):
"""Generate a self-signed certificate for the domains list.
:param domains: Domains for which the certificates will be self-signed
:type domains: list
:param ecc: Wether to use Elliptic Curve cryptography or not, defaults to True, if Fasle RSA is used
:param ecc: bool, optional
:param days: Validity lifetime of the certificate, defaults to 3650
:param days: int, optional
:param config_tpl: OpenSSL config file template, defaults to OPENSSL_CONFIG_TEMPLATE
:param config_tpl: str, optional
"""
# create certs dir
cert_dir = "/etc/ssl/envsetup"
Path(cert_dir).mkdir(mode=0o755, parents=True, exist_ok=True)
# populate template with domains # populate template with domains
for i, domain in enumerate(domains, start=1): for i, domain in enumerate(domains, start=1):
config_tpl = config_tpl + "DNS.{} = {}\n".format(i, domain) config_tpl = config_tpl + "DNS.{} = {}\n".format(i, domain)
# write openssl config file # write openssl config file
with open("/etc/ssl/envsetup.conf", "w") as config_fh: with open(cert_dir + "/conf", "w") as config_fh:
config_fh.write(config_tpl) config_fh.write(config_tpl)
# key type: elliptic curve (default) or rsa
if ecc:
subprocess.check_call([
"openssl", "ecparam",
"-name", "secp384r1",
"-out", cert_dir + "/ecparam"
])
keytype = "ec:" + cert_dir + "/ecparam"
else:
keytype = "rsa"
# execute openssl to generate keypair # execute openssl to generate keypair
subprocess.check_call([ subprocess.check_call([
"openssl", "req", "openssl", "req",
"-config", "/etc/ssl/envsetup.conf", "-config", cert_dir + "/conf",
"-new", "-x509", "-sha256", "-newkey", "rsa:{}".format(str(keysize)), "-nodes", "-new",
"-keyout", "/etc/ssl/private/envsetup.key.pem", "-x509",
"-sha256",
"-nodes",
"-newkey", keytype,
"-keyout", cert_dir + "/key.pem",
"-days", str(days), "-days", str(days),
"-out", "/etc/ssl/certs/envsetup.cert.pem" "-out", cert_dir + "/cert.pem"
]) ])
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment