ownca icon indicating copy to clipboard operation
ownca copied to clipboard

Published 20 hours ago verified publisher icon OwnCA

Allow ExtendedKeyUsageOID and alternative names

Open craig8 opened this issue 1 year ago • 2 comments

Wow I am impressed with the amount of time this takes out of generating my own ca and certificates...Fantastic!

I am wondering about adding extended key usages for this for client auth as well as server certificates?

if type == 'server': # if server cert specify that the certificate can be used as an SSL # server certificate cert_builder = cert_builder.add_extension( x509.ExtendedKeyUsage((ExtendedKeyUsageOID.SERVER_AUTH,)), critical=False ) if hostname and fqdn != hostname: cert_builder = cert_builder.add_extension( x509.SubjectAlternativeName([DNSName(hostname), DNSName(fqdn)]), critical=True ) else: cert_builder = cert_builder.add_extension( x509.SubjectAlternativeName([DNSName(fqdn)]), critical=True )

elif type == 'client':
    # specify that the certificate can be used as an SSL
    # client certificate to enable TLS Web Client Authentication
    cert_builder = cert_builder.add_extension(
        x509.ExtendedKeyUsage((ExtendedKeyUsageOID.CLIENT_AUTH,)),
        critical=False
    )

craig8 avatar Jun 30 '23 23:06 craig8

+1

volkerjaenisch avatar Jan 04 '24 22:01 volkerjaenisch

A fork is available https://github.com/Inqbus/ownca which shows the new functionality.

The new functionality is in fact a hack, but it does work.

  cert = ca.issue_certificate(hostname=host_name, common_name=cn, ca=ca_flag, tls_role=tls_role)

with a given tls_role (have a look at the enum) should produce a cert with this feature.

Please give feedback how to proceed from here.

Cheers, Volker

volkerjaenisch avatar Jan 05 '24 02:01 volkerjaenisch