[Twisted-Python] loading intermediate CA certs from a chain file
Hi There, Does Twisted support or is there any way of loading intermediate CA certs from a chain file? I have a SSL certificate issued by Thawte, but my system administrator says as quoted: Looks like you may need to install an Intermediary certificate. Relevant certs for Thawte can be found at https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO13881 I am not sure, how to generate a chain file and later, how to use it in twisted ssl enabled server. At the moment, I am using following line of code: root_ssl_service = internet.SSLServer(443, site_ssl, DefaultOpenSSLContextFactory( privateKeyFileName="cert/server.key", certificateFileName="cert/server.pem")) Thanks in advance. Sury
On 07:13 am, ssoni@nextdigital.com wrote:
Hi There,
Does Twisted support or is there any way of loading intermediate CA certs from a chain file?
Twisted uses pyOpenSSL for it's SSL support. So you can do pretty much anything pyOpenSSL allows. http://packages.python.org/pyOpenSSL /openssl-context.html documents the Context interface; in particular the use_certificate_chain_file might be interesting. However, I recently had a conversation with someone who was using this method and still couldn't get their chain certificate to work reliably. I think he's still trying to track down the issue. Jean-Paul
what i recommend is to add all chain in one file using openssl kit
(maybe just cat'ing works). However, most certs issued nowadays
contain the chain already in. You can check with openssl x509 -in
cert.pem -text and see the attached signers cerificate in base64, copy
that to a new.pem and repeat. You can walk this way up the chain to
root cert. If you can, the chaining is not your problem.
Try playing with openssl toolkit alone and see what it says about cert and key.
2010/7/20, exarkun@twistedmatrix.com
On 07:13 am, ssoni@nextdigital.com wrote:
Hi There,
Does Twisted support or is there any way of loading intermediate CA certs from a chain file?
Twisted uses pyOpenSSL for it's SSL support. So you can do pretty much anything pyOpenSSL allows. http://packages.python.org/pyOpenSSL /openssl-context.html documents the Context interface; in particular the use_certificate_chain_file might be interesting. However, I recently had a conversation with someone who was using this method and still couldn't get their chain certificate to work reliably. I think he's still trying to track down the issue.
Jean-Paul
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- Nosūtīts no manas mobilās ierīces -- Konrads Smelkovs Applied IT sorcery.
I was able to solve this problem by writing following class. Thank you JP for pointing me to use_certificate_chain_file function.
class ChainedOpenSSLContextFactory(DefaultOpenSSLContextFactory):
def __init__(self, privateKeyFileName, certificateChainFileName,
sslmethod=SSL.SSLv23_METHOD):
"""
@param privateKeyFileName: Name of a file containing a private key
@param certificateChainFileName: Name of a file containing a certificate chain
@param sslmethod: The SSL method to use
"""
self.privateKeyFileName = privateKeyFileName
self.certificateChainFileName = certificateChainFileName
self.sslmethod = sslmethod
self.cacheContext()
def cacheContext(self):
ctx = SSL.Context(self.sslmethod)
ctx.use_certificate_chain_file(self.certificateChainFileName)
ctx.use_privatekey_file(self.privateKeyFileName)
self._context = ctx
And I used it in place of DefaultOpenSSLContextFactory like this:
ssl_service = internet.SSLServer(443, site_ssl,
ChainedOpenSSLContextFactory(
privateKeyFileName="cert/server.key",
certificateChainFileName="cert/chain.pem",
sslmethod = SSL.SSLv3_METHOD))
Where chain.pem was cat'ing version of my certificate + CA certificate + ROOT certificate. Thank you Konards for suggesting me this cat'ing thing.
If anyone still have problem in this area, they will have to track correct chain of certificates. I myself got stuck in choosing correct CA certificate, since Thawte have many different CA certificate for different purpose. Eventually, I was fine with choosing the right one.
Cheers.
-Sury
---------------------
what i recommend is to add all chain in one file using openssl kit (maybe just cat'ing works). However, most certs issued nowadays contain the chain already in. You can check with openssl x509 -in cert.pem -text and see the attached signers cerificate in base64, copy that to a new.pem and repeat. You can walk this way up the chain to root cert. If you can, the chaining is not your problem.
Try playing with openssl toolkit alone and see what it says about cert and key.
2010/7/20, exarkun@twistedmatrix.com
On 07:13 am, ssoni@nextdigital.com wrote:
Hi There,
Does Twisted support or is there any way of loading intermediate CA certs from a chain file?
Twisted uses pyOpenSSL for it's SSL support. So you can do pretty much anything pyOpenSSL allows. http://packages.python.org/pyOpenSSL /openssl-context.html documents the Context interface; in particular the use_certificate_chain_file might be interesting. However, I recently had a conversation with someone who was using this method and still couldn't get their chain certificate to work reliably. I think he's still trying to track down the issue.
Jean-Paul
-- Konrads Smelkovs Applied IT sorcery.
participants (3)
-
exarkun@twistedmatrix.com -
Konrads Smelkovs -
Sury Soni