<div dir="ltr"><span style="font-size:12.8px">Dear everyone,</span><div style="font-size:12.8px"> I have a trouble in adding the extension 'subject directory attributes' to a certificate using Python. I have tried to use 'subjectDirAttrs' and 'subjectDirectoryAttributes', but neither of them can work. The error is 'OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]'. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"> I have installed PyOpenSSL v16.1.0 and imported crypto from OpenSSL as the code below shows. My programming environment is Ubuntu 16.04.1 x64 and Python 2.7.12. Can anyone give a practical solution?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"> In addition, when I want to add another extension 'certificate policies', the error is 'OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'no config database'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]'. Can anyone tell me how to add this extension to a certificate? </div><div style="font-size:12.8px"> </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"> Thanks in advance!</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"> # My code</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><pre style="white-space:pre-wrap;margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-size:13px;width:auto;max-height:600px;overflow:auto;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;background-color:rgb(239,240,241);word-wrap:normal;color:rgb(36,39,41)"><code style="margin:0px;padding:0px;border:0px;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;white-space:inherit">#! /usr/bin/env python
from OpenSSL import crypto
newSubject=crypto.X509Name(cry<wbr>pto.X509().get_subject())
newSubject.C='US'
newSubject.ST='California'
newSubject.O='University of California, Davis'
newSubject.OU='Computer Science, UCDavis'
newSubject.CN='<a href="http://www.cs.ucdavis.edu/" target="_blank">www.cs.ucdavis.<wbr>edu</a>'
newCert=crypto.X509()
newCert.set_version(2)
newCert.set_serial_number(2016<wbr>120711)
newCert.set_notBefore('2016120<wbr>7125959Z')
newCert.set_notAfter('20171207<wbr>125959Z')
newCert.set_issuer(newSubject)
newCert.set_subject(newSubject<wbr>)
pkObject=crypto.PKey()
pkObject.generate_key(crypto.T<wbr>YPE_RSA,2048)
newCert.set_pubkey(pkObject)
newExt=crypto.X509Extension('b<wbr>asicConstraints', True, 'CA:true')
newCert.add_extensions([newExt<wbr>])
newExt=crypto.X509Extension('s<wbr>ubjectDirAttrs', True, 'something')
newCert.add_extensions([newExt<wbr>])
newCert.sign(pkObject,'sha256'<wbr>)
with open('sample.pem','w') as f:
f.write(crypto.dump_certificat<wbr>e(crypto.FILETYPE_PEM,newCert)<wbr>)</code></pre></div></div>