9

I am trying to generate ac self signed X509v3 CA certificate using pyopenssl. I would want to add the extension authority key identifier (AKID) with keyid containing subject key identifier (SKID).

But my following code block does not copy the SKID to AKID rather throws an exception.

The code is as follows

import OpenSSL

key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)

ca = OpenSSL.crypto.X509()
ca.set_version(2)
ca.set_serial_number(1)
ca.get_subject().CN = "ca.example.com"
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
  OpenSSL.crypto.X509Extension("basicConstraints", True,
                               "CA:TRUE, pathlen:0"),
  OpenSSL.crypto.X509Extension("keyUsage", True,
                               "keyCertSign, cRLSign"),
  OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
                               subject=ca),
  OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
  ])
ca.sign(key, "sha1")
open("MyCertificate.crt.bin", "wb").write(
            OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, ca))

the Exception thrown is as follows

Traceback (most recent call last):
  File "C:\Documents and Settings\Administrator\Desktop\Certificate\certi.py", line 21, in <module>
    OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
Error: [('X509 V3 routines', 'V2I_AUTHORITY_KEYID', 'unable to get issuer keyid'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]

Now if I remove "always" from the line keyid parameter in the below line of the code

OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid",issuer=ca)

i get the AKID keyid field to be empty and it does not contain the SKID as shown below

          00:84:13:70:73:fe:29:61:5f:33:7d:b3:74:97:3b:
            3a:f3:11:01:7c:b8:37:a8:8c:72:81:ee:92:fd:91:
            8a:11:b3:b3:02:b4:97:d5:f8:1b:91:54:7e:15:49:
            26:6d
        Exponent: 65537 (0x10001)
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:TRUE, pathlen:0
    X509v3 Key Usage: critical
        Certificate Sign, CRL Sign
    X509v3 Subject Key Identifier: 
        CE:D1:31:DE:CF:E3:E2:BC:6C:73:3D:55:F0:88:53:0A:F1:DC:31:14
    X509v3 Authority Key Identifier: 
        0.
Signature Algorithm: sha1WithRSAEncryption
     0b:7b:28:f6:b9:1e:6e:ec:53:6a:c5:77:db:c5:3f:5e:1d:ab:
     e5:43:73:eb:52:24:af:39:2b:aa:a3:f6:34:e1:92:4b:3b:5e:
     b6:1
Improve this question

1 Answer 1

Reset to default
13

It means that the CA key you are using doesn't have a subjectKeyIdentifier set.

In your example you are creating the authorityKeyIdentifier using a reference to ca which doesn't have subjectKeyIdentifier set yet.

If you change your code a to:

ca.add_extensions([
  OpenSSL.crypto.X509Extension("basicConstraints", True,
                               "CA:TRUE, pathlen:0"),
  OpenSSL.crypto.X509Extension("keyUsage", True,
                               "keyCertSign, cRLSign"),
  OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
                               subject=ca),
  ])
ca.add_extensions([
  OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
  ])

then it works.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.