Allow ExtendedKeyUsageOID and alternative names
craig8 opened this issue · 2 comments
Wow I am impressed with the amount of time this takes out of generating my own ca and certificates...Fantastic!
I am wondering about adding extended key usages for this for client auth as well as server certificates?
if type == 'server':
# if server cert specify that the certificate can be used as an SSL
# server certificate
cert_builder = cert_builder.add_extension(
x509.ExtendedKeyUsage((ExtendedKeyUsageOID.SERVER_AUTH,)),
critical=False
)
if hostname and fqdn != hostname:
cert_builder = cert_builder.add_extension(
x509.SubjectAlternativeName([DNSName(hostname), DNSName(fqdn)]),
critical=True
)
else:
cert_builder = cert_builder.add_extension(
x509.SubjectAlternativeName([DNSName(fqdn)]),
critical=True
)
elif type == 'client':
# specify that the certificate can be used as an SSL
# client certificate to enable TLS Web Client Authentication
cert_builder = cert_builder.add_extension(
x509.ExtendedKeyUsage((ExtendedKeyUsageOID.CLIENT_AUTH,)),
critical=False
)
+1
A fork is available https://github.com/Inqbus/ownca which shows the new functionality.
The new functionality is in fact a hack, but it does work.
cert = ca.issue_certificate(hostname=host_name, common_name=cn, ca=ca_flag, tls_role=tls_role)
with a given tls_role (have a look at the enum) should produce a cert with this feature.
Please give feedback how to proceed from here.
Cheers,
Volker