ExamplesΒΆ
Generate a CSR with Cryptography and get a cert from an ADCS server:
from certsrv import Certsrv
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
# Generate a key
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"myserver.example.com"),
])).add_extension(
x509.SubjectAlternativeName([
x509.DNSName(u"myserver.example.com"),
]),
critical=False,
).sign(key, hashes.SHA256(), default_backend())
# Get the cert from the ADCS server
pem_req = csr.public_bytes(serialization.Encoding.PEM)
ca_server = Certsrv("my-adcs-server.example.net", "myUser", "myPassword")
pem_cert = ca_server.get_cert(pem_req, "WebServer")
# Print the key and the cert
pem_key = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
print("Cert:\n{}".format(pem_cert.decode()))
print("Key:\n{}".format(pem_key.decode()))
Generate a CSR with pyOpenSSL and get a cert from an ADCS server:
import OpenSSL
from certsrv import Certsrv
# Generate a key
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
# Generate a CSR
req = OpenSSL.crypto.X509Req()
req.get_subject().CN="myserver.example.com"
san = b"DNS: myserver.example.com"
san_extension = OpenSSL.crypto.X509Extension(b"subjectAltName", False, san)
req.add_extensions([san_extension])
req.set_pubkey(key)
req.sign(key, "sha256")
# Get the cert from the ADCS server
pem_req = OpenSSL.crypto.dump_certificate_request(OpenSSL.crypto.FILETYPE_PEM, req)
ca_server = Certsrv("my-adcs-server.example.net", "myUser", "myPassword")
pem_cert = ca_server.get_cert(pem_req, "WebServer")
# Print the key and the cert
pem_key = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)
print("Cert:\n{}".format(pem_cert.decode()))
print("Key:\n{}".format(pem_key.decode()))
Generate a CSR with pyOpenSSL and get a cert from an ADCS server with a template that requires admin approval:
import time
import OpenSSL
import certsrv
# Generate a key
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
# Generate a CSR
req = OpenSSL.crypto.X509Req()
req.get_subject().CN="myserver.example.com"
san = b"DNS: myserver.example.com"
san_extension = OpenSSL.crypto.X509Extension(b"subjectAltName", False, san)
req.add_extensions([san_extension])
req.set_pubkey(key)
req.sign(key, "sha256")
# Get the cert from the ADCS server
ca_server = certsrv.Certsrv("my-adcs-server.example.net", "myUser", "myPassword")
pem_req = OpenSSL.crypto.dump_certificate_request(OpenSSL.crypto.FILETYPE_PEM, req)
try:
pem_cert = ca_server.get_cert(pem_req, "WebServerManual")
except certsrv.CertificatePendingException as error:
print("The request needs to be approved by the CA admin."
"The Request Id is {}. She has a minute to approve it...".format(error.req_id))
time.sleep(60)
pem_cert = ca_server.get_existing_cert(error.req_id)
# Print the key and the cert
pem_key = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)
print("Cert:\n{}".format(pem_cert.decode()))
print("Key:\n{}".format(pem_key.decode()))