Skip to content
基于Tornado和OpenSSL的CA证书服务器
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
__pycache__
demo
.gitignore
LICENSE
README.md
app.py
common.py
config.py.example
gencert.py
handler.py
revoke.py

README.md

OpenSSL CA Server By Tornado

用于私有网络中自建CA中心并进行证书的签发和认证


更新日志

2019-06-28 v1.2

  • 增加日志(默认项目根目录下的ca_server.log
  • 删除签发证书api下的csr_name字段
  • 修改handler类下的请求处理函数为异步
  • 杀臭虫

2019-06-25 v1.1

  • 使用aes-256-cfb代替fingerprint的验证方式
  • 杀死了部分臭虫

2019-06-04 v1.0

  • 初始版本,完成各个接口
Method API URL Remarks Status
GET /api/ca/cacert 获取CA中心的根证书 ✔️
GET /api/ca/crl 获取CA中心的CRL ✔️
POST /api/ca/sign 签发证书 ✔️
DELETE /api/ca/revoke 吊销证书 ✔️

获取CA根证书

URL

GET /api/ca/cacert

Response 200:

HTTP/1.1 200 OK
Server: TornadoServer/6.0.2
Content-Type: application/x-pem-file
Date: Mon, 03 Jun 2019 07:11:40 GMT
Content-Disposition: attachment; filename=cacert.pem
Etag: "234847b704fa446e60c766c8e2a4d1225ed3e404"
Content-Length: 2114
Connection: close

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Response 404:

未找到根证书

获取CA的CRL

URL

GET /api/ca/crl

Response 200:

HTTP/1.1 200 OK
Server: TornadoServer/6.0.2
Content-Type: application/x-pem-file
Date: Mon, 03 Jun 2019 07:57:27 GMT
Content-Disposition: attachment; filename=ca_crl.pem
Etag: "1a35bbbeff23273b9d435833d443267eca5229fd"
Content-Length: 1060
Connection: close

-----BEGIN X509 CRL-----
...
-----END X509 CRL-----

Response 404:

v1.1以后不会返回404,如果CRL找不到会自动生成

签发证书

URL

POST /api/ca/sign

Parameters

  • csr_body: 用aes-256-cfb加密后的base64格式的X509Req

Response 200:

此处为了方便,不通过状态码区分返回结果,状态码一律返回200

签发失败将返回:

{
  status: -1,
  msg: "ERROR Message"
}

message的具体信息如下表:

status message Remarks
-1 [Request error]: Missing parameters! 必要参数缺失
[Request error]: 'csr_body' field must be base64 type! csr_body不是base64格式
[ERROR]: Something is error with signing processing! 签发证书超时 | 签发失败
[ERROR]: Please do not repeat the application for certificate! 重复签发
[ERROR]: Wrong certificate request (X509Req) format! csr文件格式不正确,无法加载

签发成功将返回:

{
  status: 0,
  cert: "[Your Cert Data]"
}

吊销证书

URL

DELETE /api/ca/revoke

Parameters

有两种模式:通过序列号(证书丢失)和证书来进行吊销操作

  • serial: 需要吊销的证书序列号(与cert二选一),需为16进制格式
  • cert: 需要吊销的证书(与serial二选一)

注意:serial和cert都必须为用aes-256-cfb加密后的base64格式

Response 200:

状态码一律返回200

吊销失败将返回:

{
  status: -1,
  msg: '[ERROR Message]'
}

其中error message具体信息如下表:

status message Remarks
-1 [Request error]: Missing parameters! 必要参数缺失
[ERROR]: Wrong certificate format! 证书格式不正确
[ERROR]: This may be an invalid serial number! 证书序列号无效
[ERROR]: This certificate is revoked! 该证书已经被吊销
[ERROR]: Revoke failed, unknown error! 吊销失败,未知错误

吊销成功则返回:

其中Serial Number为已吊销证书的序列号,以16进制表示

{
  "status": 0,
  "msg": "Revoke Certificate success!",
  "Serial Number": "3166306230653066383662636431643b"
}
You can’t perform that action at this time.