我在这个线程上找到了创建 CSR 的函数:Generating a CSR in Python
但是,它没有提到我如何将 SAN(SubjectAltName)添加到 CSR,这对于浏览器认为使用此 CSR 生成的证书是安全的很重要。
然后我在这个线程中找到了一个将 SAN 添加到 CSR 的单独函数: Is it possible to set subjectAltName using pyOpenSSL?
问题是无论出于何种原因我都无法将两者结合起来。每当我添加它时,似乎 Microsoft Active Directory 证书服务不喜欢它并给我这个错误: 证书服务错误消息
我究竟做错了什么?感谢您提前提供的所有帮助
这是我的代码正在寻找参考的方式:
def create_csr(common_name, country=None, state=None, city=None,
organization=None, organizational_unit=None,
email_address=None):
"""
Args:
common_name (str).
country (str).
state (str).
city (str).
organization (str).
organizational_unit (str).
email_address (str).
Returns:
(str, str). Tuple containing private key and certificate
signing request (PEM).
"""
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
req = OpenSSL.crypto.X509Req()
req.get_subject().CN = common_name
if country:
req.get_subject().C = country
if state:
req.get_subject().ST = state
if city:
req.get_subject().L = city
if organization:
req.get_subject().O = organization
if organizational_unit:
req.get_subject().OU = organizational_unit
if email_address:
req.get_subject().emailAddress = email_address
req.set_pubkey(key)
req.sign(key, 'sha256')
san_list = ["IP:" + common_name, "DNS:" + common_name]
req.add_extensions([
OpenSSL.crypto.X509Extension(
"subjectAltName".encode("utf-8"), False, (", ".join(san_list)).encode("utf-8")
)
])
private_key = OpenSSL.crypto.dump_privatekey(
OpenSSL.crypto.FILETYPE_PEM, key)
csr = OpenSSL.crypto.dump_certificate_request(
OpenSSL.crypto.FILETYPE_PEM, req)
return private_key, csr