Add several helpers for creating certificates #1368
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* create private keys * create self signed certficates * create certifcate signing requests * create ca for signing csr The helpers are: * generate_private_key * generate_app_certificate_signing_request * generate_self_signed_app_certificate * sign_certificate_request Test and example are available.
|
Good job! Had prepared the same functions, but didn't find the time to finishe the task. Also a good idea would be to https://github.com/FreeOpcUa/opcua-asyncio/blob/master/examples/generate_certificate.sh change to a python script using these functions? Maybe add the code to same exmaples, where you check if the certificates exists and if not create a new certificate? |
|
@schroeder- yes replacing the script would be nice. This PR is part of a set of security related PRs:
Those where all required for creating a proto of a GDS push/pull client. |
bitkeeper
force-pushed
the
features/generate_certificates
branch
from
2ffc244
to
119d6d7
Compare
|
should some of these methods be exposed/installed as command line? |
|
With these functions we could indeed create a uacert command-line tool or so. But in general, I think, it is a better practice, to let your client/server generate it, if needed (no cert present or invalid self signed) at startup.
|
bitkeeper
added a commit
to bitkeeper/opcua-asyncio
that referenced
this pull request
Aug 8, 2023
With PR FreeOpcUa#1368 some functions are added to create and request certificates. Based on those functions a new helper method `setup_self_signed_certificate` is created. This should make it easy to add basic support to clients and servers for generating automatically certificates. If can generated a private key and self-signed certificate when not already present. When the data range of the certificate is no longer valid it generates a new certificate. Both the examples for client and server use with encryption are updated to demonstrate the use.
bitkeeper
added a commit
to bitkeeper/opcua-asyncio
that referenced
this pull request
Aug 8, 2023
With PR FreeOpcUa#1368 some functions are added to create and request certificates. Based on those functions a new helper method `setup_self_signed_certificate` is created. This should make it easy to add basic support to clients and servers for generating automatically certificates. If can generated a private key and self-signed certificate when not already present. When the data range of the certificate is no longer valid it generates a new certificate. Both the examples for client and server use with encryption are updated to demonstrate the use.
oroulet
pushed a commit
that referenced
this pull request
Aug 9, 2023
With PR #1368 some functions are added to create and request certificates. Based on those functions a new helper method `setup_self_signed_certificate` is created. This should make it easy to add basic support to clients and servers for generating automatically certificates. If can generated a private key and self-signed certificate when not already present. When the data range of the certificate is no longer valid it generates a new certificate. Both the examples for client and server use with encryption are updated to demonstrate the use.
Dimfred
pushed a commit
to Dimfred/opcua-asyncio
that referenced
this pull request
Sep 19, 2023
With PR FreeOpcUa#1368 some functions are added to create and request certificates. Based on those functions a new helper method `setup_self_signed_certificate` is created. This should make it easy to add basic support to clients and servers for generating automatically certificates. If can generated a private key and self-signed certificate when not already present. When the data range of the certificate is no longer valid it generates a new certificate. Both the examples for client and server use with encryption are updated to demonstrate the use.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To encourage the use of certifactes, it should be easy to create certificates from within your opc-asyncio applications.
The PR adds several helpers for creating certificates, that follow the guidelines from OPC 10000-4 6.1 / OPC 10000-6 6.2.2 for ApplicationInstanceCertificate, for the following tasks:
The helpers are:
Test and example are included.