Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow ExtendedKeyUsageOID and alternative names #95

Open
craig8 opened this issue Jun 30, 2023 · 2 comments
Open

Allow ExtendedKeyUsageOID and alternative names #95

craig8 opened this issue Jun 30, 2023 · 2 comments

Comments

@craig8
Copy link

craig8 commented Jun 30, 2023

Wow I am impressed with the amount of time this takes out of generating my own ca and certificates...Fantastic!

I am wondering about adding extended key usages for this for client auth as well as server certificates?

if type == 'server':
# if server cert specify that the certificate can be used as an SSL
# server certificate
cert_builder = cert_builder.add_extension(
x509.ExtendedKeyUsage((ExtendedKeyUsageOID.SERVER_AUTH,)),
critical=False
)
if hostname and fqdn != hostname:
cert_builder = cert_builder.add_extension(
x509.SubjectAlternativeName([DNSName(hostname), DNSName(fqdn)]),
critical=True
)
else:
cert_builder = cert_builder.add_extension(
x509.SubjectAlternativeName([DNSName(fqdn)]),
critical=True
)

elif type == 'client':
    # specify that the certificate can be used as an SSL
    # client certificate to enable TLS Web Client Authentication
    cert_builder = cert_builder.add_extension(
        x509.ExtendedKeyUsage((ExtendedKeyUsageOID.CLIENT_AUTH,)),
        critical=False
    )
@volkerjaenisch
Copy link

+1

@volkerjaenisch
Copy link

A fork is available https://github.com/Inqbus/ownca which shows the new functionality.

The new functionality is in fact a hack, but it does work.

  cert = ca.issue_certificate(hostname=host_name, common_name=cn, ca=ca_flag, tls_role=tls_role)

with a given tls_role (have a look at the enum) should produce a cert with this feature.

Please give feedback how to proceed from here.

Cheers,
Volker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants