1
0
mirror of https://github.com/moepman/acertmgr.git synced 2024-12-29 10:31:49 +01:00

acertmgr: add support for the ocsp must-staple extension

Introduces a new config directive and requires at least cryptography 2.1
This commit is contained in:
Kishi85 2019-03-29 08:37:50 +01:00
parent 07696f5721
commit 54cb334600
4 changed files with 13 additions and 2 deletions

View File

@ -77,6 +77,7 @@ By default the directory (work_dir) containing the working data (csr,certificate
| ca_file | **d**,g | Path to store (and load) the certificate authority file | {cert_dir}/{cert_id}.ca |
| cert_file | **d** | Path to store (and load) the certificate file | {cert_dir}/{cert_id}.crt |
| cert_revoke_superseded | **d**,g | Revoke the previous certificate with reason "superseded" after successful deployment | false |
| cert_must_staple | **d**,g | Generate a certificate (request) with the OCSP must-staple flag (will be honoured on the next newly generated CSR if using csr_static=true) | false |
| key_file | **d**,g | Path to store (and load) the private key file | {cert_dir}/{cert_id}.key |
| mode | **d**,g | Mode of challenge handling used | standalone |
| webdir | **d**,g | [webdir] Put acme challenges into this path | /var/www/acme-challenge/ |

View File

@ -48,7 +48,8 @@ def cert_get(settings):
cr = tools.read_pem_file(csr_file, csr=True)
else:
print('Generating CSR for {}'.format(settings['domainlist']))
cr = tools.new_cert_request(settings['domainlist'], key)
must_staple = str(settings.get('cert_must_staple')).lower() == "true"
cr = tools.new_cert_request(settings['domainlist'], key, must_staple)
tools.write_pem_file(cr, csr_file)
# request cert with csr

View File

@ -131,6 +131,9 @@ def parse_config_entry(entry, globalconfig, runtimeconfig):
# Revoke old certificate with reason superseded after renewal
update_config_value(config, 'cert_revoke_superseded', localconfig, globalconfig, "false")
# Whether to include request for OCSP must-staple in the certificate
update_config_value(config, 'cert_must_staple', localconfig, globalconfig, "false")
# Use a static cert request
update_config_value(config, 'csr_static', localconfig, globalconfig, "false")

View File

@ -53,8 +53,9 @@ def is_cert_valid(cert, ttl_days):
# @brief create a certificate signing request
# @param names list of domain names the certificate should be valid for
# @param key the key to use with the certificate in pyopenssl format
# @param must_staple whether or not the certificate should include the OCSP must-staple flag
# @return the CSR in pyopenssl format
def new_cert_request(names, key):
def new_cert_request(names, key, must_staple=False):
# TODO: There has to be a better way to ensure correct text type (why typecheck, cryptography?)
primary_name = x509.Name([x509.NameAttribute(
NameOID.COMMON_NAME,
@ -66,6 +67,11 @@ def new_cert_request(names, key):
req = x509.CertificateSigningRequestBuilder()
req = req.subject_name(primary_name)
req = req.add_extension(all_names, critical=False)
if must_staple:
if getattr(x509, 'TLSFeature', None):
req = req.add_extension(x509.TLSFeature(features=[x509.TLSFeatureType.status_request]), critical=False)
else:
print('OCSP must-staple ignored as current version of cryptography does not support the flag.')
req = req.sign(key, hashes.SHA256(), default_backend())
return req