Allow ExtendedKeyUsageOID and alternative names

[craig8]

Wow I am impressed with the amount of time this takes out of generating my own ca and certificates...Fantastic!

I am wondering about adding extended key usages for this for client auth as well as server certificates?

if type == 'server':
# if server cert specify that the certificate can be used as an SSL
# server certificate
cert_builder = cert_builder.add_extension(
x509.ExtendedKeyUsage((ExtendedKeyUsageOID.SERVER_AUTH,)),
critical=False
)
if hostname and fqdn != hostname:
cert_builder = cert_builder.add_extension(
x509.SubjectAlternativeName([DNSName(hostname), DNSName(fqdn)]),
critical=True
)
else:
cert_builder = cert_builder.add_extension(
x509.SubjectAlternativeName([DNSName(fqdn)]),
critical=True
)

elif type == 'client':
    # specify that the certificate can be used as an SSL
    # client certificate to enable TLS Web Client Authentication
    cert_builder = cert_builder.add_extension(
        x509.ExtendedKeyUsage((ExtendedKeyUsageOID.CLIENT_AUTH,)),
        critical=False
    )

[volkerjaenisch]

+1

[volkerjaenisch]

A fork is available https://github.com/Inqbus/ownca which shows the new functionality.

The new functionality is in fact a hack, but it does work.

  cert = ca.issue_certificate(hostname=host_name, common_name=cn, ca=ca_flag, tls_role=tls_role)

with a given tls_role (have a look at the enum) should produce a cert with this feature.

Please give feedback how to proceed from here.

Cheers,
Volker