From aowtea at gmail.com Wed Dec 7 08:07:56 2016 From: aowtea at gmail.com (Aow Tea) Date: Wed, 7 Dec 2016 21:07:56 +0800 Subject: [pyOpenSSL-Users] How to add 'subject directory attributes' to a certificate using Python? Message-ID: Dear everyone, I have a trouble in adding the extension 'subject directory attributes' to a certificate using Python. I have tried to use 'subjectDirAttrs' and 'subjectDirectoryAttributes', but neither of them can work. The error is 'OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'unknown extension name'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]'. I have installed PyOpenSSL v16.1.0 and imported crypto from OpenSSL as the code below shows. My programming environment is Ubuntu 16.04.1 x64 and Python 2.7.12. Can anyone give a practical solution? In addition, when I want to add another extension 'certificate policies', the error is 'OpenSSL.crypto.Error: [('X509 V3 routines', 'DO_EXT_NCONF', 'no config database'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]'. Can anyone tell me how to add this extension to a certificate? Thanks in advance! # My code #! /usr/bin/env python from OpenSSL import crypto newSubject=crypto.X509Name(crypto.X509().get_subject()) newSubject.C='US' newSubject.ST='California' newSubject.O='University of California, Davis' newSubject.OU='Computer Science, UCDavis' newSubject.CN='www.cs.ucdavis.edu' newCert=crypto.X509() newCert.set_version(2) newCert.set_serial_number(2016120711) newCert.set_notBefore('20161207125959Z') newCert.set_notAfter('20171207125959Z') newCert.set_issuer(newSubject) newCert.set_subject(newSubject) pkObject=crypto.PKey() pkObject.generate_key(crypto.TYPE_RSA,2048) newCert.set_pubkey(pkObject) newExt=crypto.X509Extension('basicConstraints', True, 'CA:true') newCert.add_extensions([newExt]) newExt=crypto.X509Extension('subjectDirAttrs', True, 'something') newCert.add_extensions([newExt]) newCert.sign(pkObject,'sha256') with open('sample.pem','w') as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM,newCert)) -------------- next part -------------- An HTML attachment was scrubbed... URL: