[PYTHON] Encrypt ACME on Alibaba Cloud: Create account key, certificate key, certificate signing request

In this multi-part article, you'll learn how to use the Let's Encrypt ACME version 2 API with ** Python ** for ** SSL certificates **.

Account key

The account key is used to provide the ID of the account requesting certificate service. No method such as login / password is used. It is very important to keep your account key pair in a safe place, as your account key is used to issue, renew, and revoke your SSL certificate. If you lose your account key, the certificates created under that account will be put on hold. These certificates cannot be renewed or revoked. In this case, you need to create a new account key and issue a new SSL certificate in place of the lost certificate. If a malicious third party gains access to your account key, you can change your contact email address and revoke your certificate. You cannot issue a new SSL certificate for your domain because it requires HTTP or DNS validation of your domain name.

Could not find any documentation on the size of the private key. I'm testing with a 4096 bit key size and this works fine.

There are many ways to create an account key. Let's look at two ways, one is to write a Python program and the other is to use OpenSSL from the command line. Includes an example showing how to use the private key.

This example does not use the openssl python library. This example uses the crypto library, which makes creating a private key very easy. The following example uses openssl, which is more complex but offers more options.

make_account_key.py

""" Let's Encrypt ACME Version 2 Examples - Create Account Key """

from Crypto.PublicKey import RSA

filename = 'account.key'

key = RSA.generate(4096)

with open(filename,'w') as f:
    f.write(key.exportKey().decode('utf-8'))

make_account_key2.py

import sys
import OpenSSL
from OpenSSL import crypto

filename = 'account.key'

key = crypto.PKey()

key.generate_key(crypto.TYPE_RSA, 4096)

key_material = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)

val = key_material.decode('utf-8')

with open("account.key", "wt") as f:
    f.write(val)

OpenSSL command line example

openssl genrsa -out account.key 4096

OpenSSL command line options

1, genrsa --Generate RSA private key (PKCS # 1 format). 2, -out filename --Outputs the key to the specified file. 3,4096-The size of the private key generated in bits View details and confirm your new account key.

openssl rsa -in account.key -text -check -noout

Extract the public key from the private key.

openssl rsa -pubout -in account.key -out account.pub

Certificate key

A certificate key is a key pair used to sign a CSR (Certificate Signing Request). This is not an account key, even though both are key pairs. For security reasons, you should avoid signing your account key in the CSR. In general, it is common to create a new certificate key for each SSL certificate.

Repeat the above example to create a certificate key. The difference is that the file name is the domain name that issues the certificate. Change "domain.com" to your domain name.

make_certificate_key.py

""" Let's Encrypt ACME Version 2 Examples - Create Certificate Key """

from Crypto.PublicKey import RSA

domainname = "example.com"

filename = domainname + '.key'

key = RSA.generate(4096)

with open(filename,'w') as f:
    f.write(key.exportKey().decode('utf-8'))

OpenSSL command line example.

openssl genrsa -out example.com.key 4096

OpenSSL command line option.

1, genrsa --Generate RSA private key (PKCS # 1 format). 2, -out filename --Outputs the key to the specified file. 3,4096-The size of the private key generated in bits

CSR-Certificate signing request

A CSR is a file (message) sent to a CA (Certificate Authority --Let's Encrypt) to apply for an SSL certificate. The CSR contains details such as the company name, location, and domain name of the person applying for the SSL certificate. Since Let's Encrypt issues only DV (Domain Validated) SSL certificate, only the domain name is verified in the generated SSL certificate, only the domain name is described, and the contact information is described. An optional email address for is also listed. Details such as company name and location are not included.

Creating a CSR is easy with OpenSSL. All you need is a domain name and optionally an email address. The following example replaces domainName with the domain name and emailAddress with the email address.

This example removes all subject fields such as C, ST, L, O, and OU that Let's Encrypt does not handle, and adds the subjectAltName extension that Chrome requires.

make_csr.py

""" Let's Encrypt ACME Version 2 Examples - Create CSR (Certificate Signing Request) """

importOpenSSL

KEY_FILE = "certificate.key"
CSR_FILE = "certificate.csr"

domainName = 'api.neoprime.xyz'
emailAddress = '[email protected]'

def create_csr(pkey, domain_name, email_address):
    """ Generate a certificate signing request """

    # create certificate request
    cert = OpenSSL.crypto.X509Req()

    # Add the email address
    cert.get_subject().emailAddress = email_address

    # Add the domain name
    cert.get_subject().CN = domain_name

        san_list = ["DNS:" + domain_name]

        cert.add_extensions([
                OpenSSL.crypto.X509Extension(
            b"subjectAltName",
            False,
            ", ".join(san_list).encode("utf-8"))
        ])

    cert.set_pubkey(pkey)
    cert.sign(pkey, 'sha256')

    return cert

# Load the Certicate Key
data = open(KEY_FILE, 'rt').read()

# Load the private key from the certificate.key file
pkey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, data)

# Create the CSR
cert = create_csr(pkey, domainName, emailAddress)

# Write the CSR to a file in PEM format
with open(CSR_FILE,'wt') as f:
    data = OpenSSL.crypto.dump_certificate_request(OpenSSL.crypto.FILETYPE_PEM, cert)
    f.write(data.decode('utf-8'))

Overview

[Part 3](https://www.alibabacloud.com/blog/let%27s-encrypt-acme-with-alibaba-cloud-api-gateway-and-cdn-%E2%80%93-part-3_593783? In spm = a2c65.11461447.0.0.66065dd78S1HZO), Let's Encrypt to generate and install SSL certificate for Alibaba Cloud API Gateway and CDN using account.key, certificate.key, certificate.csr files. This section describes each item of ACME API.

Recommended Posts

Encrypt ACME on Alibaba Cloud: Create account key, certificate key, certificate signing request
Encrypt ACME on Alibaba Cloud: Create ACME endpoints, directories, ACME accounts
Encrypt ACME on Alibaba Cloud: Build an ACME request and sign the JWS payload
Encrypt ACME on Alibaba Cloud: Concepts Related to SSL Certificates
Set up a Google Cloud service account key on heroku