0

I generated a certificate signing request (csr)

from OpenSSL import crypto

cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "Minnesota"
cert.get_subject().L = "Minnetonka"
cert.get_subject().O = "my company"
cert.get_subject().OU = "my organization"
cert.get_subject().CN = "aaa.com"

Then saved it.

# Save the csr
name = 'cert.crt'
pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
with open(name, 'wb') as f:
    f.write(pem)

I would like to load the csr, sign it, and then save it.

Here is my try

# Read it
with open(name, 'rb') as pem:
    cert_pem = pem.read()

The next step would probably be to load the csr using a build in function of the crypto libray. Hence, I tried it with the functions dump_certificate, dump_certificate_request, load_certificate and load_certificate_request, using them as follows:

# Load
load_cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)

But I get Errors.
The load_certificate creates the error:

Error: [('asn1 encoding routines', 'asn1_item_embed_d2i', 'field missing'), ('asn1 encoding routines', 'asn1_template_noexp_d2i', 'nested asn1 error'), ('asn1 encoding routines', 'asn1_template_noexp_d2i', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

whereas the load_certificate_request creates the error:

Error: [('PEM routines', 'get_name', 'no start line')]

The dump_certificate and the dump_certificate_request create the error:

AttributeError: 'bytes' object has no attribute '_x509'

How could I load the csr, to be ready for the signature ?

Kyv
  • 615
  • 6
  • 26
  • [ask] - why withhold the stacktrace with error info .... ? – Patrick Artner Apr 23 '22 at 23:17
  • Maybe take a look at this interesting answer: https://stackoverflow.com/a/60804101 – Stephan Schlecht Apr 24 '22 at 10:03
  • Thank you @StephanSchlecht for your answer. That one is a self signed certificate. I would like to remove the line `cert.sign(k, 'sha512')`. Then save the `csr` in order to pass it the CA for its signature. I removed that line and left the rest unchanged. I would now like to load it and sign it using the CA key. Something like: `cert = crypto.load_certificate(crypto.FILETYPE_PEM, read_file(CERT_FILE))`, then `cert.sign(ca_key, 'sha512')`. Is there a way to do something like that ? – Kyv Apr 24 '22 at 15:53
  • I see. That would be a call to `crypto.X509Req()` instead of `crypto.X509()`. There is also an interesting question on this topic on SO: https://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto – Stephan Schlecht Apr 24 '22 at 16:17
  • 1
    It is not quite clear to me what you want to achieve. A CSR contains data like C, CN, ... and the public key of the applicant and is signed with the private key of the applicant (to ensure data consistency and prove ownership of the private key). What should be the point of signing the CSR with the CA's key, not to mention that you only have the CA's public key and a private key is needed for signing. The CA is responsible for signing the certificate, using its private key, and then sending the certificate to the applicant. – Topaco Apr 24 '22 at 16:52
  • 1
    With PyOpenSSL it does not seem to be possible to load an *unsigned* CSR, see here: https://github.com/pyca/pyopenssl/issues/700#issuecomment-759604074 – Topaco Apr 24 '22 at 17:09
  • Thank you @Topaco for your answer. Taking your comments into considération, I have created another question. Please find it here: `https://stackoverflow.com/questions/71990455/signing-the-certificate-signing-request-of-a-client-in-python` – Kyv Apr 24 '22 at 17:29
  • @StephanSchlecht when I use `crypto.X509Req()` I get the error `AttributeError: 'X509Req' object has no attribute '_x509'` while saving the `csr`. It is the line `f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))` which produces the error. Could you provide a code example of the `csr` with `X509Req()`, that we will save, then load it to pass it to the `CA` for its signature ? – Kyv Apr 24 '22 at 17:39
  • @Kyv I could provide an example of how to create a CSR in Python - but the question headline is "How to load and sign certificate signing request using the crypto library" - what you're trying to accomplish here, however, is unfortunately unclear to me. – Stephan Schlecht Apr 24 '22 at 21:29
  • Thank you @StephanSchlecht . Generating a `CSR` as an applicant, then send it to a `CA` for its signature is what I am trying to achieve. This question was an intermediate question to achieve that goal. I would deeply appreciate such a python code. – Kyv Apr 25 '22 at 00:37
  • @Kyv Hm, I think we are still not on the same page. A CA does not sign the `CSR`. Do you want to retrieve a certificate from a third-party CA that allows visitors a secure TLS based connection and ensures they are connected to the correct server? Then you need to send a CSR signed by you. If you send an unsigned CSR, the CA would reject it. Then, after verification, the CA would send you another file, namely a certificate for the domain (this cert would be signed by the CA (not your CSR)). Or I didn't understand your use case and you are trying to achieve something completely different? – Stephan Schlecht Apr 25 '22 at 13:13
  • 1
    @StephanSchlecht , I think I need to understand the different expressions better. Anyway, thank you for your patience and your clarifications. – Kyv Apr 25 '22 at 18:05

0 Answers0