You can really go with pyOpenSSL. Since you say that you already have the CA root certificate and private key, and the CSR will be sent by the client, you can use the cryptography functions to read all of these (CA cert, private key and Device CSR) from the file or to manage them in the buffer.
To get started, use the features below. Check dir(crypto) and crypto.function_name.__doc__ on the python interpreter for more information :) You need to import cryptography from pyOpenSSL
- crypto.load_certificate_request () - to receive a CSR obj device
- crypto.load_privatekey () - to get the obj private key for the CA private key
- crypto.load_certificate () - get the root CA certificate
then you can write a simple function to return a certificate
def create_cert(): cert = crypto.X509() cert.set_serial_number(serial_no) cert.gmtime_adj_notBefore(notBeforeVal) cert.gmtime_adj_notAfter(notAfterVal) cert.set_issuer(caCert.get_subject()) cert.set_subject(deviceCsr.get_subject()) cert.set_pubkey(deviceCsr.get_pubkey()) cert.sign(CAprivatekey, digest) return cert
where caCert , deviceCsr, and CAprivatekey are the values of the three functions. Now that you have the certificate, you can write it to a file using crypto.dump_certificate(crypto.FILETYPE_PEM, cert) with the file name of your choice.
You can change this function according to your requirement. After that, you can verify the generated device certificate using the CA root certificate using the openssl command, for example. openssl verify -CApath <CA cert path> <name of device cert file>
You can also view some examples from github. M2Crypto example, pyOpenSSL example
Hope this gives you an idea of implementation
Harshawardhan
source share