openssl genrsa -out privatekey.pem 2048
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 365000
python gencrt.py signedcrtfilename CA.key publickey.cer
第三部其实用OpenSSL就可以完成,不过需要配置文件,略麻烦
#!/usr/bin/env python
# coding:utf-8
import sys
import os
import hashlib
import OpenSSL
import time
reload(sys).setdefaultencoding('UTF-8')
sys.dont_write_bytecode = True
def get_cert(filename, ca_keyfile, pkeyfile):
with open(ca_keyfile, 'rb') as fp:
#获取CA的私钥和证书
content = fp.read()
key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, content)
ca = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, content)
with open(pkeyfile, 'rb') as fp:
#获取证书请求文件包含的申请者自拟的证书
content = fp.read()
reqcrt = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, content)
cert = OpenSSL.crypto.X509()
cert.set_version(0)
try:
cert.set_serial_number(int(hashlib.md5(filename.encode('utf-8')).hexdigest(), 16))
except OpenSSL.SSL.Error:
cert.set_serial_number(int(time.time()*1000))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10)
cert.set_issuer(ca.get_subject())
cert.set_subject(reqcrt.get_subject())
cert.set_pubkey(reqcrt.get_pubkey())
cert.sign(key, 'sha1')
certfile = os.path.join(filename + '.crt')
print(certfile)
with open(certfile, 'wb') as fp:
fp.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
return certfile
if __name__ == '__main__':
get_cert(sys.argv[1], sys.argv[2], sys.argv[3])
Please add 'import time'