| 1 | #!/usr/bin/env python2 |
|---|
| 2 | |
|---|
| 3 | from OpenSSL import * |
|---|
| 4 | |
|---|
| 5 | PRIVATE_KEY = "/etc/pki/tls/private/scripts-2048.key" |
|---|
| 6 | # PEM format with no passphrase |
|---|
| 7 | |
|---|
| 8 | SUBJECT_ATTRIBUTES = [ |
|---|
| 9 | ("countryName", "US"), |
|---|
| 10 | ("stateOrProvinceName", "Massachusetts"), |
|---|
| 11 | ("localityName", "Cambridge"), |
|---|
| 12 | ("organizationName", "Massachusetts Institute of Technology"), |
|---|
| 13 | ("organizationalUnitName", "scripts.mit.edu web hosting service"), |
|---|
| 14 | ("CN", None), # to be filled in below |
|---|
| 15 | ("emailAddress", "scripts@mit.edu"), |
|---|
| 16 | ] |
|---|
| 17 | |
|---|
| 18 | EXTENSIONS = [ |
|---|
| 19 | # apparently OpenSSL marks CSR extensions as non-critical; it's not our |
|---|
| 20 | # fault if the CA messes up and forgets CA:FALSE, right? |
|---|
| 21 | ("basicConstraints", False, "CA:FALSE"), |
|---|
| 22 | ("keyUsage", False, "nonRepudiation, digitalSignature, keyEncipherment"), |
|---|
| 23 | ] |
|---|
| 24 | |
|---|
| 25 | def generate_csr(cn, alt_names=None): |
|---|
| 26 | """ |
|---|
| 27 | Generate a CSR for the given Common Name (a hostname) with the provided |
|---|
| 28 | subjectAltName's (a list of hostnames) using the above settings. |
|---|
| 29 | |
|---|
| 30 | Returns a PEM string. |
|---|
| 31 | """ |
|---|
| 32 | req = crypto.X509Req() |
|---|
| 33 | |
|---|
| 34 | # set the subject fields (in the same order as OpenSSL XD) |
|---|
| 35 | subject = req.get_subject() |
|---|
| 36 | for attr, val in SUBJECT_ATTRIBUTES: |
|---|
| 37 | if attr == "CN": # fills in the CN in the right place |
|---|
| 38 | val = cn |
|---|
| 39 | setattr(subject, attr, val) # subject.attr = val |
|---|
| 40 | |
|---|
| 41 | # initialize the extensions |
|---|
| 42 | extensions = [] |
|---|
| 43 | for type_name, critical, value in EXTENSIONS: |
|---|
| 44 | ext = crypto.X509Extension(type_name, critical, value) |
|---|
| 45 | extensions.append(ext) |
|---|
| 46 | |
|---|
| 47 | # ...including subjectAltName |
|---|
| 48 | san_string = ", ".join("DNS:"+name for name in alt_names) |
|---|
| 49 | ext = crypto.X509Extension("subjectAltName", False, san_string) |
|---|
| 50 | extensions.append(ext) |
|---|
| 51 | |
|---|
| 52 | # and add them to the CSR |
|---|
| 53 | req.add_extensions(extensions) |
|---|
| 54 | |
|---|
| 55 | # load the private key |
|---|
| 56 | with open(PRIVATE_KEY) as f: |
|---|
| 57 | pk_pem = f.read() |
|---|
| 58 | private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, pk_pem) |
|---|
| 59 | |
|---|
| 60 | # do the bit with the key! |
|---|
| 61 | req.set_pubkey(private_key) # yeah...I know |
|---|
| 62 | req.sign(private_key, "sha256") |
|---|
| 63 | |
|---|
| 64 | # dump the CSR to PEM |
|---|
| 65 | return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) |
|---|
| 66 | |
|---|
| 67 | if __name__=="__main__": |
|---|
| 68 | import sys |
|---|
| 69 | if len(sys.argv) != 2: |
|---|
| 70 | print "usage: %s HOSTNAME" % sys.argv[0] |
|---|
| 71 | exit(1) |
|---|
| 72 | |
|---|
| 73 | hostname = sys.argv[1].lower() |
|---|
| 74 | if not hostname.endswith(".mit.edu"): |
|---|
| 75 | hostname += ".mit.edu" |
|---|
| 76 | |
|---|
| 77 | print generate_csr(hostname, [hostname]), # with subjectAltName |
|---|
| 78 | print >> sys.stderr, "Generated a CSR for %s using %s" % ( |
|---|
| 79 | hostname, PRIVATE_KEY) |
|---|
| 80 | exit(0) |
|---|
