在吊销证书时,需要先生成crl吊销证书列表文件,如client1.crl,然后再使用该文件进行吊销指定证书
使用cryptography生成crl文件的方法如下。
from datetime import datetime, timedelta
# 需要安装 pip install cryptography
from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
def create_crl_file(under_revoke_crt_file, ca_key_file, ca_crt_file, crl_file):
"""
创建吊销证书列表文件
:param under_revoke_crt_file: 待吊销客户端证书文件路径
:param ca_key_file: 所属根证书私钥文件路径
:param ca_crt_file: 所属跟证书文件路径
:param crl_file: 保存的crl文件路径
"""
revocation_date_timestamp = 2684329385 # 2055-01-23 23:03:05
now = datetime.now()
next_update_duration = dict(hours=4)
with open(ca_crt_file, "rb") as f:
ca_crt_bytes = f.read()
ca_crt = x509.load_pem_x509_certificate(ca_crt_bytes)
with open(ca_key_file, 'rb') as f:
ca_key_bytes = f.read()
ca_key = serialization.load_pem_private_key(ca_key_bytes, password=None)
with open(under_revoke_crt_file, 'rb') as f:
under_revoke_crt_bytes = f.read()
under_revoke_crt = x509.load_pem_x509_certificate(under_revoke_crt_bytes)
revoked_cert = x509.RevokedCertificateBuilder(
under_revoke_crt.serial_number,
datetime.fromtimestamp(revocation_date_timestamp),
).build()
builder = x509.CertificateRevocationListBuilder(
issuer_name=ca_crt.issuer,
last_update=now,
next_update=now + timedelta(**next_update_duration),
revoked_certificates=[revoked_cert],
)
ski_ext = ca_crt.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
identifier = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value)
builder = builder.add_extension(identifier, critical=False)
crl = builder.sign(private_key=ca_key, algorithm=under_revoke_crt.signature_hash_algorithm)
with open(crl_file, 'wb') as f:
f.write(crl.public_bytes(encoding=serialization.Encoding.PEM))
if __name__ == '__main__':
under_revoke_crt_file = 'client1.tls.crt'
ca_crt_file = 'ca.crt'
ca_key_file = 'ca.key'
crl_file = 'client1.crl'
create_crl_file(under_revoke_crt_file, ca_key_file, ca_crt_file, crl_file)