feat: added intermediate certificate script generation

.gitignore

+.venv/

gen_cert.py

+import datetime
+import argparse
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+
+def load_ca(ca_cert_path, ca_key_path, ca_key_password=None):
+    with open(ca_cert_path, 'rb') as cert_file:
+        ca_cert = x509.load_pem_x509_certificate(cert_file.read())
+
+    with open(ca_key_path, 'rb') as key_file:
+        ca_key = serialization.load_pem_private_key(
+            key_file.read(), password=ca_key_password)
+
+    return ca_cert, ca_key
+
+
+def generate_private_key():
+    private_key = rsa.generate_private_key(
+        public_exponent=65537, key_size=2048)
+    return private_key
+
+
+def create_csr(private_key, common_name):
+    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+        x509.NameAttribute(NameOID.COMMON_NAME, common_name),
+    ])).sign(private_key, hashes.SHA256())
+    return csr
+
+
+def create_certificate(csr, issuer_cert, issuer_key, is_intermediate=False):
+    subject = csr.subject
+    issuer = issuer_cert.subject
+    builder = x509.CertificateBuilder().subject_name(
+        subject
+    ).issuer_name(
+        issuer
+    ).public_key(
+        csr.public_key()
+    ).serial_number(
+        x509.random_serial_number()
+    ).not_valid_before(
+        datetime.datetime.utcnow()
+    ).not_valid_after(
+        datetime.datetime.utcnow() + datetime.timedelta(days=365)
+    ).add_extension(
+        x509.SubjectKeyIdentifier.from_public_key(csr.public_key()),
+        critical=False
+    ).add_extension(
+        x509.AuthorityKeyIdentifier.from_issuer_public_key(
+            issuer_cert.public_key()),
+        critical=False
+    ).add_extension(
+        x509.BasicConstraints(ca=is_intermediate, path_length=None),
+        critical=True
+    )
+
+    certificate = builder.sign(
+        private_key=issuer_key, algorithm=hashes.SHA256())
+    return certificate
+
+
+def save_certificate(cert, filepath):
+    with open(filepath, "wb") as f:
+        f.write(cert.public_bytes(serialization.Encoding.PEM))
+
+
+def save_private_key(private_key, filepath, password=None):
+    encryption = serialization.NoEncryption()
+    if password:
+        encryption = serialization.BestAvailableEncryption(password.encode())
+
+    with open(filepath, "wb") as f:
+        f.write(private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=encryption
+        ))
+
+
+def main():
+    parser = argparse.ArgumentParser()
+
+    parser.add_argument("ca_cert_path", help="Path to the CA certificate")
+    parser.add_argument("ca_key_path", help="Path to the CA private key")
+    args = parser.parse_args()
+
+    ca_cert_path = args.ca_cert_path
+    ca_key_path = args.ca_key_path
+
+    ca_cert, ca_key = load_ca(ca_cert_path, ca_key_path, ca_key_password=None)
+
+    intermediate_private_key = generate_private_key()
+
+    intermediate_csr = create_csr(
+        intermediate_private_key, common_name="*.bibi.ch")
+
+    intermediate_cert = create_certificate(
+        intermediate_csr, ca_cert, ca_key, is_intermediate=True)
+
+    save_certificate(intermediate_cert, "intermediate_cert.pem")
+    save_private_key(intermediate_private_key, "intermediate_key.pem")
+
+    with open("full_chain.pem", "wb") as f:
+        f.write(intermediate_cert.public_bytes(serialization.Encoding.PEM))
+        f.write(ca_cert.public_bytes(serialization.Encoding.PEM))
+
+
+if __name__ == "__main__":
+    main()

requirements.txt

+cffi==1.16.0
+cryptography==42.0.8
+pycparser==2.22