wzj/certmanager
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

修复根证书信任问题

Browse Source
This commit is contained in:
wzj 2025-06-15 06:51:55 +08:00
parent 1ad7b4f642
commit 35165bd58b
1 changed files with 66 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
app.py
View File

@ -300,16 +300,43 @@ def create_ca(ca_name, common_name, organization, organizational_unit, country,
key_path = os.path.join(ca_dir, f"{common_name}.key")
cert_path = os.path.join(ca_dir, f"{common_name}.crt")
# 创建OpenSSL配置文件
openssl_cnf = f"""
[ req ]
default_bits = {key_size}
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
C = {country}
ST = {state}
L = {locality}
O = {organization}
OU = {organizational_unit}
CN = {common_name}
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyCertSign, cRLSign
"""
config_path = os.path.join(ca_dir, 'openssl.cnf')
with open(config_path, 'w') as f:
f.write(openssl_cnf.strip())
# 生成CA私钥
subprocess.run([
'openssl', 'genrsa', '-out', key_path, str(key_size)
], check=True)
# 生成CA自签名证书
# 生成CA自签名证书(使用配置文件)
subprocess.run([
'openssl', 'req', '-new', '-x509', '-days', str(days_valid),
'-key', key_path, '-out', cert_path,
'-subj', f'/CN={common_name}/O={organization}/OU={organizational_unit}/C={country}/ST={state}/L={locality}'
'-config', config_path
], check=True)
# 保存到数据库
@ -362,14 +389,8 @@ default_bits = {key_size}
prompt = no
default_md = sha256
distinguished_name = dn
"""
req_extensions = req_ext
# 只有在有SAN时才添加扩展部分
has_san = bool(san_dns or san_ip)
if has_san:
csr_config += "req_extensions = req_ext\n"
csr_config += f"""
[dn]
CN = {common_name}
O = {organization}
@ -377,26 +398,25 @@ OU = {organizational_unit}
C = {country}
ST = {state}
L = {locality}
"""
if has_san:
csr_config += """
[req_ext]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
extendedKeyUsage = serverAuth, clientAuth
[alt_names]"""
# 添加DNS SAN条目
if san_dns:
dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()]
for i, dns in enumerate(dns_entries, 1):
csr_config += f"\nDNS.{i} = {dns}"
# 添加SAN条目
if san_dns:
dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()]
for i, dns in enumerate(dns_entries, 1):
csr_config += f"\nDNS.{i} = {dns}"
# 添加IP SAN条目
if san_ip:
ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()]
for i, ip in enumerate(ip_entries, 1):
csr_config += f"\nIP.{i} = {ip}"
if san_ip:
ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()]
for i, ip in enumerate(ip_entries, 1):
csr_config += f"\nIP.{i} = {ip}"
# 确保配置文件不以空行结尾
csr_config = csr_config.strip()
@ -417,12 +437,34 @@ subjectAltName = @alt_names
print(csr_config)
return None
# 使用CA签名证书
# 使用CA签名证书(添加-extfile参数
try:
# 创建扩展配置文件
ext_config = f"""
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth, clientAuth
subjectAltName=@alt_names
[alt_names]"""
if san_dns:
for i, dns in enumerate(dns_entries, 1):
ext_config += f"\nDNS.{i} = {dns}"
if san_ip:
for i, ip in enumerate(ip_entries, 1):
ext_config += f"\nIP.{i} = {ip}"
ext_path = os.path.join(cert_dir, 'ext.cnf')
with open(ext_path, 'w') as f:
f.write(ext_config.strip())
subprocess.run([
'openssl', 'x509', '-req', '-in', csr_path, '-CA', ca['cert_path'],
'-CAkey', ca['key_path'], '-CAcreateserial', '-out', cert_path,
'-days', str(days_valid), '-sha256'
'-days', str(days_valid), '-sha256', '-extfile', ext_path
], check=True)
except subprocess.CalledProcessError as e:
print(f"签名证书错误: {e}")