aboutsummaryrefslogtreecommitdiffstats
path: root/docs/x509/tutorial.rst
blob: 0fa061a2f01f7a456cde2bebfd0c0e8f6a111ef8 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

Tutorial
========

X.509 certificates are used to authenticate clients on servers. The most common
use case is for web servers using HTTPS.

Creating a Certificate Signing Request (CSR)
--------------------------------------------

When obtaining a certificate from a certificate authority (CA), the usual
flow is:

1. You generate a private/public key pair.
2. You create a request for a certificate, which is signed by your key (to
   prove that you own that key).
3. You give your CSR to a CA (but *not* the private key).
4. The CA validates that you own the resource (e.g. domain) you want a
   certificate for.
5. The CA gives you a certificate, signed by them, which identifies your public
   key, and the resource you are authenticated for.
6. You configure your server to use that certificate, combined with your
   private key, to server traffic.

If you want to obtain a certificate from a typical commercial CA, here's how.
First, you'll need to generate a private key, we'll generate an RSA key (these
are the most common types of keys on the web right now):

.. code-block:: pycon

    >>> from cryptography.hazmat.backends import default_backend
    >>> from cryptography.hazmat.primitives import serialization
    >>> from cryptography.hazmat.primitives.asymmetric import rsa
    >>> # Generate our key
    >>> key = rsa.generate_private_key(
    ...     public_exponent=65537,
    ...     key_size=2048,
    ...     backend=default_backend()
    ... )
    >>> # Write our key to disk for safe keeping
    >>> with open("path/to/store/key.pem", "wb") as f:
    ...     f.write(key.private_bytes(
    ...         encoding=serialization.Encoding.PEM,
    ...         format=serialization.PrivateFormat.TraditionalOpenSSL,
    ...         encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),
    ...     ))

If you've already generated a key you can load it with
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`.

Next we need to generate a certificate signing request. A typical CSR contains
a few details:

* Information about our public key (including a signature of the entire body).
* Information about who *we* are.
* Information about what domains this certificate is for.

.. code-block:: pycon

    >>> from cryptography import x509
    >>> from cryptography.x509.oid import NameOID
    >>> from cryptography.hazmat.primitives import hashes
    >>> # Generate a CSR
    >>> csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
    ...     # Provide various details about who we are.
    ...     x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
    ...     x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
    ...     x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
    ...     x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
    ...     x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
    ... ])).add_extension(
    ...     x509.SubjectAlternativeName([
    ...         # Describe what sites we want this certificate for.
    ...         x509.DNSName(u"mysite.com"),
    ...         x509.DNSName(u"www.mysite.com"),
    ...         x509.DNSName(u"subdomain.mysite.com"),
    ...     ]),
    ...     critical=False,
    ... # Sign the CSR with our private key.
    ... ).sign(key, hashes.SHA256(), default_backend())
    >>> # Write our CSR out to disk.
    >>> with open("path/to/csr.pem", "wb") as f:
    ...     f.write(csr.public_bytes(serialization.Encoding.PEM))

Now we can give our CSR to a CA, who will give a certificate to us in return.
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-04 20:38:24 +0000
="nv">STAMP_DIR_HOST=$(BUILD_DIR_HOST)/stamp TARGET_ROOTFS_DIR?=$(if $(call qstrip,$(CONFIG_TARGET_ROOTFS_DIR)),$(call qstrip,$(CONFIG_TARGET_ROOTFS_DIR)),$(BUILD_DIR)) TARGET_DIR:=$(TARGET_ROOTFS_DIR)/root-$(BOARD) DEBUG_DIR:=$(BUILD_DIR)/debug-$(BOARD) BUILD_LOG_DIR:=$(TOPDIR)/logs TARGET_PATH:=$(TOOLCHAIN_DIR)/usr/bin:$(STAGING_DIR_HOST)/bin:$(PATH) TARGET_PATH_PKG:=$(STAGING_DIR)/host/bin:$(TARGET_PATH) TARGET_CFLAGS:=$(TARGET_OPTIMIZATION)$(if $(CONFIG_DEBUG), -g3) TARGET_CPPFLAGS:=-I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include TARGET_LDFLAGS:=-L$(TOOLCHAIN_DIR)/usr/lib -L$(TOOLCHAIN_DIR)/lib -L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib LIBGCC_S=$(if $(wildcard $(TOOLCHAIN_DIR)/lib/libgcc_s.so),-lgcc_s,$(wildcard $(TOOLCHAIN_DIR)/lib/gcc/*/*/libgcc.a)) ifndef DUMP ifeq ($(CONFIG_NATIVE_TOOLCHAIN),) -include $(TOOLCHAIN_DIR)/info.mk REAL_GNU_TARGET_NAME=$(OPTIMIZE_FOR_CPU)-openwrt-linux$(if $(TARGET_SUFFIX),-$(TARGET_SUFFIX)) GNU_TARGET_NAME=$(OPTIMIZE_FOR_CPU)-openwrt-linux TARGET_CROSS:=$(if $(TARGET_CROSS),$(TARGET_CROSS),$(OPTIMIZE_FOR_CPU)-openwrt-linux$(if $(TARGET_SUFFIX),-$(TARGET_SUFFIX))-) TARGET_CFLAGS+= -fhonour-copts endif endif ifeq ($(CONFIG_SOFT_FLOAT),y) SOFT_FLOAT_CONFIG_OPTION:=--with-float=soft TARGET_CFLAGS+= -msoft-float else SOFT_FLOAT_CONFIG_OPTION:= endif export PATH:=$(TARGET_PATH) export STAGING_DIR export GCC_HONOUR_COPTS:=0 PKG_CONFIG:=$(STAGING_DIR_HOST)/bin/pkg-config export PKG_CONFIG HOSTCC:=gcc HOST_CFLAGS:=-O2 -I$(STAGING_DIR_HOST)/include HOST_LDFLAGS:=-L$(STAGING_DIR_HOST)/lib TARGET_CC:=$(TARGET_CROSS)gcc TARGET_CXX:=$(if $(CONFIG_INSTALL_LIBSTDCPP),$(TARGET_CROSS)g++,no) PATCH:=$(SCRIPT_DIR)/patch-kernel.sh SED:=$(STAGING_DIR_HOST)/bin/sed -i -e CP:=cp -fpR INSTALL_BIN:=install -m0755 INSTALL_DIR:=install -d -m0755 INSTALL_DATA:=install -m0644 INSTALL_CONF:=install -m0600 ifneq ($(CONFIG_CCACHE),) # FIXME: move this variable to a better location export CCACHE_DIR=$(STAGING_DIR)/ccache TARGET_CC:= ccache $(TARGET_CC) endif TARGET_CONFIGURE_OPTS:= \ AR=$(TARGET_CROSS)ar \ AS="$(TARGET_CC) -c $(TARGET_CFLAGS)" \ LD=$(TARGET_CROSS)ld \ NM=$(TARGET_CROSS)nm \ CC="$(TARGET_CC)" \ GCC="$(TARGET_CC)" \ CXX="$(TARGET_CXX)" \ RANLIB=$(TARGET_CROSS)ranlib \ STRIP=$(TARGET_CROSS)strip \ OBJCOPY=$(TARGET_CROSS)objcopy \ OBJDUMP=$(TARGET_CROSS)objdump \ SIZE=$(TARGET_CROSS)size # strip an entire directory ifneq ($(CONFIG_NO_STRIP),) RSTRIP:=: STRIP:=: else ifneq ($(CONFIG_USE_STRIP),) STRIP:=$(TARGET_CROSS)strip else ifneq ($(CONFIG_USE_SSTRIP),) STRIP:=$(STAGING_DIR_HOST)/bin/sstrip endif endif RSTRIP:= \ NM="$(TARGET_CROSS)nm" \ STRIP="$(STRIP)" \ STRIP_KMOD="$(TARGET_CROSS)strip --strip-unneeded --remove-section=.comment" \ $(SCRIPT_DIR)/rstrip.sh endif ifeq ($(CONFIG_ENABLE_LOCALE),true) DISABLE_NLS:= else DISABLE_NLS:=--disable-nls endif ifneq ($(CONFIG_LARGEFILE),y) DISABLE_LARGEFILE= --disable-largefile endif ifeq ($(CONFIG_TAR_VERBOSITY),y) TAR_OPTIONS:=-xvf - else TAR_OPTIONS:=-xf - endif define shvar V_$(subst .,_,$(subst -,_,$(subst /,_,$(1)))) endef define shexport $(call shvar,$(1))=$$(call $(1)) export $(call shvar,$(1)) endef # file extension ext=$(word $(words $(subst ., ,$(1))),$(subst ., ,$(1))) all: FORCE: ; .PHONY: FORCE endif #__rules_inc
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-04 20:38:23 +0000