mirror of
https://github.com/moepman/acertmgr.git
synced 2024-12-29 10:31:49 +01:00
acertmgr: add support for the ocsp must-staple extension
Introduces a new config directive and requires at least cryptography 2.1
This commit is contained in:
parent
07696f5721
commit
54cb334600
@ -77,6 +77,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
|
||||
| ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca |
|
||||
| cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt |
|
||||
| cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false |
|
||||
| cert_must_staple | **d**,g | Generate a certificate (request) with the OCSP must-staple flag (will be honoured on the next newly generated CSR if using csr_static=true) | false |
|
||||
| key_file | **d**,g | Path to store (and load) the private key file | {cert_dir}/{cert_id}.key |
|
||||
| mode | **d**,g | Mode of challenge handling used | standalone |
|
||||
| webdir | **d**,g | [webdir] Put acme challenges into this path | /var/www/acme-challenge/ |
|
||||
|
@ -48,7 +48,8 @@ def cert_get(settings):
|
||||
cr = tools.read_pem_file(csr_file, csr=True)
|
||||
else:
|
||||
print('Generating CSR for {}'.format(settings['domainlist']))
|
||||
cr = tools.new_cert_request(settings['domainlist'], key)
|
||||
must_staple = str(settings.get('cert_must_staple')).lower() == "true"
|
||||
cr = tools.new_cert_request(settings['domainlist'], key, must_staple)
|
||||
tools.write_pem_file(cr, csr_file)
|
||||
|
||||
# request cert with csr
|
||||
|
@ -131,6 +131,9 @@ def parse_config_entry(entry, globalconfig, runtimeconfig):
|
||||
# Revoke old certificate with reason superseded after renewal
|
||||
update_config_value(config, 'cert_revoke_superseded', localconfig, globalconfig, "false")
|
||||
|
||||
# Whether to include request for OCSP must-staple in the certificate
|
||||
update_config_value(config, 'cert_must_staple', localconfig, globalconfig, "false")
|
||||
|
||||
# Use a static cert request
|
||||
update_config_value(config, 'csr_static', localconfig, globalconfig, "false")
|
||||
|
||||
|
@ -53,8 +53,9 @@ def is_cert_valid(cert, ttl_days):
|
||||
# @brief create a certificate signing request
|
||||
# @param names list of domain names the certificate should be valid for
|
||||
# @param key the key to use with the certificate in pyopenssl format
|
||||
# @param must_staple whether or not the certificate should include the OCSP must-staple flag
|
||||
# @return the CSR in pyopenssl format
|
||||
def new_cert_request(names, key):
|
||||
def new_cert_request(names, key, must_staple=False):
|
||||
# TODO: There has to be a better way to ensure correct text type (why typecheck, cryptography?)
|
||||
primary_name = x509.Name([x509.NameAttribute(
|
||||
NameOID.COMMON_NAME,
|
||||
@ -66,6 +67,11 @@ def new_cert_request(names, key):
|
||||
req = x509.CertificateSigningRequestBuilder()
|
||||
req = req.subject_name(primary_name)
|
||||
req = req.add_extension(all_names, critical=False)
|
||||
if must_staple:
|
||||
if getattr(x509, 'TLSFeature', None):
|
||||
req = req.add_extension(x509.TLSFeature(features=[x509.TLSFeatureType.status_request]), critical=False)
|
||||
else:
|
||||
print('OCSP must-staple ignored as current version of cryptography does not support the flag.')
|
||||
req = req.sign(key, hashes.SHA256(), default_backend())
|
||||
return req
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user