TLS Certificate Utilities

Module for working with x.509 certificates.

zaza.utilities.cert.generate_cert(common_name, alternative_names=None, password=None, issuer_name=None, signing_key=None, signing_key_password=None, generate_ca=False)

Generate x.509 certificate.

Example of how to create a certificate chain:

(cakey, cacert) = generate_cert(
    'DivineAuthority',
    generate_ca=True)
(crkey, crcert) = generate_cert(
    'test.com',
    issuer_name='DivineAuthority',
    signing_key=cakey)
Parameters
  • common_name (str) – Common Name to use in generated certificate

  • alternative_names (Optional[list(str)]) – List of names to add as SubjectAlternativeName

  • password (Optional[str]) – Password to protect encrypted private key with

  • issuer_name (Optional[str]) – Issuer name, must match provided_private_key issuer

  • signing_key (Optional[str]) – PEM encoded PKCS8 formatted private key

  • signing_key_password (Optional[str]) – Password to decrypt private key

  • generate_ca (bool) – Generate a certificate usable as a CA certificate

Returns

x.509 certificate

Return type

cryptography.x509.Certificate

zaza.utilities.cert.is_keys_valid(public_key_string, private_key_string)

Test whether these are a valid public/private key pair.

Parameters
  • public_key_string (str) – PEM encoded key data.

  • private_key_string (str) – OpenSSH encoded key data.

zaza.utilities.cert.sign_csr(csr, ca_private_key, ca_cert=None, issuer_name=None, ca_private_key_password=None, generate_ca=False)

Sign CSR with the given key.

Parameters
  • csr (str) – Certificate to sign

  • ca_private_key (str) – Private key to be used to sign csr

  • ca_cert (str) – Cert to base some options from

  • issuer_name (Optional[str]) – Issuer name, must match provided_private_key issuer

  • ca_private_key_password (Optional[str]) – Password to decrypt ca_private_key

  • generate_ca (bool) – Allow resulting cert to be used as ca

Returns

x.509 certificate

Return type

cryptography.x509.Certificate