Commit c378f69c authored by ale's avatar ale

add a method to renew a CA certificate

parent 0bce6d0c
...@@ -20,6 +20,28 @@ class CA(object): ...@@ -20,6 +20,28 @@ class CA(object):
self._init_ca() self._init_ca()
self._load_crl() self._load_crl()
def _generate_ca_cert(self):
ca_req = certutil.create_cert_request(
self.ca_key, **(self.ca_subject))
self.ca_crt = certutil.sign_certificate(
ca_req, self.ca_key, ca_req, 1, 3650,
extensions=[
crypto.X509Extension('basicConstraints', True,
'CA:TRUE, pathlen:0'),
crypto.X509Extension('keyUsage', True,
'keyCertSign, cRLSign'),
#crypto.X509Extension('subjectKeyIdentifier', False,
# 'hash', subject=ca_req),
],
digest=self.digest)
crt_str = crypto.dump_certificate(
crypto.FILETYPE_PEM, self.ca_crt)
self.storage.set_ca(
crypto.dump_privatekey(crypto.FILETYPE_PEM, self.ca_key),
crt_str)
self.public_ca_pem = crt_str
def _init_ca(self): def _init_ca(self):
key_str, crt_str = self.storage.get_ca() key_str, crt_str = self.storage.get_ca()
if key_str: if key_str:
...@@ -31,26 +53,14 @@ class CA(object): ...@@ -31,26 +53,14 @@ class CA(object):
else: else:
log.info('initializing CA certificate and private key') log.info('initializing CA certificate and private key')
self.ca_key = certutil.create_rsa_key_pair(self.bits) self.ca_key = certutil.create_rsa_key_pair(self.bits)
ca_req = certutil.create_cert_request( self._generate_ca_cert()
self.ca_key, **(self.ca_subject))
self.ca_crt = certutil.sign_certificate( def renew_ca(self):
ca_req, self.ca_key, ca_req, 1, 3650, if not self.ca_key:
extensions=[ log.error('CA private key not available')
crypto.X509Extension('basicConstraints', True, return
'CA:TRUE, pathlen:0'), log.info('renewing CA certificate')
crypto.X509Extension('keyUsage', True, self._generate_ca_cert()
'keyCertSign, cRLSign'),
#crypto.X509Extension('subjectKeyIdentifier', False,
# 'hash', subject=ca_req),
],
digest=self.digest)
crt_str = crypto.dump_certificate(
crypto.FILETYPE_PEM, self.ca_crt)
self.storage.set_ca(
crypto.dump_privatekey(crypto.FILETYPE_PEM, self.ca_key),
crt_str)
self.public_ca_pem = crt_str
def get_ca(self): def get_ca(self):
return self.public_ca_pem return self.public_ca_pem
...@@ -77,7 +87,7 @@ class CA(object): ...@@ -77,7 +87,7 @@ class CA(object):
crypto.X509Extension('extendedKeyUsage', False, crypto.X509Extension('extendedKeyUsage', False,
server and 'serverAuth' or 'clientAuth'), server and 'serverAuth' or 'clientAuth'),
crypto.X509Extension('nsCertType', False, crypto.X509Extension('nsCertType', False,
server and 'server' or 'client'), server and 'client, server' or 'client'),
] ]
cert = certutil.sign_certificate( cert = certutil.sign_certificate(
req, self.ca_key, self.ca_crt, new_serial, days, req, self.ca_key, self.ca_crt, new_serial, days,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment