This document discusses certificate issuance and validation using PyOpenSSL. It provides code samples for issuing certificates by loading a certificate request, setting fields on the certificate object, and signing it with a CA private key. It also discusses setting extensions when issuing subordinate CA certificates and validation of certificates through certification path validation and signature validation of each certificate in the chain. Signature validation requires verifying the signature with the CA public key rather than using a single OpenSSL function.

1. Issue certificates with
PyOpenSSL
And build a trust relationship.
Contents:
Who am I
PKI Reminder
PyOpenSSL
Issue certificates
Issue certificates (2)
Validation of certificates
Signature validation
·
·
·
·
·
·
·

2. Who am I
@pfreixes coding with python for the last 15 years
I come from the C world and fields such as Operating
System
life brought me to fields such as Nosql, Amqp, Twisted, etc
I work as a Lead Backend Engineer at M2M Cloud Factory

3. PyOpenSSL
Not a simple wrapper of OpenSSL it comes with a bit of
sauce to handle PKI objects easily.
Handle certificates using the OpenSSL.crypto.X509 class
Usefull functions such as OpenSSL.crypto.sign
Other util objects such as X509Req, X509Store, ..
But it lacks some implementations such as verify
signature of a Certificate
Take a look here https://github.com/pyca/pyopenssl

4. PKI Reminder

5. Issue certificates
To issue a certificate we need a request certificate and then
use it to issue the certificate for the customer.
# load the certificate request
req = OpenSSL.crypto.load_certificate_request(
OpenSSL.crypto.FILETYPE_PEM, req_pem)
# issue the certificate
cert = OpenSSL.crypto.X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(1)
cert.set_notBefore(issued_date)
cert.set_notAfter(expire_date)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(ca_key, "sha1")
cert_pem = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, cert)

6. Issue certificates (2)
To issue certifiates for subordinate authorities the
certificate has to be set with a few extensions.
ca_extension =
OpenSSL.crypto.X509Extension("basicConstraints", True,
"CA:TRUE, pathlen:0")
key_usage = "keyCertSign, cRLSign, digitalSignature, nonRepudiation"
key_extension =
OpenSSL.crypto.X509Extension("keyUsage", True, key_usage)
hash_extension =
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False,
"hash", subject=cert)
cert.add_extensions([ca_extension, use_key_extension,
hash_extension])

7. Validation of certificates
To validate the certificates we use the method called
certification path validation. This is a well known method
with steps such as:
Each certificate in the chain is currently valid
The signature on each certificate is correct for the
certificate contents and public key.

8. Signature validation
It basically confirms that the signature of the certificate is
valid by using the public key of the CA.
To code that there is no magical function in python openssl.
A more complex code has to be used. Take look at
https://www.v13.gr/blog/?p=303.
More info with full method explained at http://tools.ietf.org
/html/rfc5280#section-6