# TLS Cert/Key Generation for Server and CA

## TLS Chain of Trust (no intermediate)

![image.png](attachment:eacf1662-1c3c-4e48-9ad7-7a08bdfee5f0.png)

https://cryptography.io/en/latest/

In [2]:
import datetime
from cryptography import x509
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.backends import default_backend
from cryptography.x509.oid import NameOID

## CA Configure

Simulate the setup of a Certificate Authority.
Generate: 
- Root CA Private Key
- Root CA Certificate (containing Public Key)

### Generate Root CA Private Key

![image.png](attachment:353f15bd-545e-4288-91ad-777614c20382.png)

In [3]:
ca_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=4096,
    backend=default_backend(),
)

In [4]:
ca_key_pem = ca_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()).decode('utf-8')

In [5]:
print(ca_key_pem)

-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEA9WQO7BZHSGBvlaFwvQqE29YVwI/ErGRcdNlxeepJhYrJ0a4u
gP66HDHb85Z832yA7GKqoRYtj30UCHp4PPFbtTZV8udm5OklhbJI9bKMLYDcmCDl
tiiKQPca9ntLXL5hIMIy/rztWTddfASQ56oS5A2POpwiatxTIzr3Omayv7xHqtr4
1Wi9BltL5rBpVqZVJCn3AMwTT+hFNMC8IRcuPuBkldl6Hmg/70yMlBVmXu62BYUv
rzUESbz2x0paRqCXhjVpS0KgK2+TMfE+S4SCVq/RwhP8x0S9ooWEVp+tKSmpJQJi
XdVwLmsLChUdEhsi2oU+P+KHVwSL1oqIU4aA/PJa1MxdH93/gA8i7CDOUl0YIIGt
Zo9ADYTY3qXbOYQTeQrswPRbU18vPe6sIN01yHnj90m3lzgKEW8HL0DR+TL6EoqP
RoUw+HBW77x4lcgLvyw0WJ18X5Q68PExrCwJZlGlk0qBoYB7nuXBDcvuKNCYpyaL
WfNVf1msmH9lDxYId1p1K8Eftp+ufeshX7ularatOhMojbTDOw+kOUDmmWgFyhL+
d5gtcxpq6Alx6EI4Kj6d6TJKZiCK+dXCAz7XMpEyYv3Lzkfx1dKK8lYTfLhVSOXM
xhrP+Hc1rXYFDwIeYGdAmsFJTSenmPgQTiEoFrZGxwDKJBH3eKsNcCQk0M8CAwEA
AQKCAgAb+zHcZ9nu/dgbdtI1LCrkKnBGid5CThtg056l6TpC+QV0XGk/Gky8hE7x
YrqQe33j9ohAYBgH4ZpUMSrewCLV8gEw9oP8HD3EFgVNxvNHCQeebTnkYJELQWIY
swxv4eGPa7WG6KIj5zVIu/iOAg2vZYBsjXs7Ni5guQuR5D4DsQN3DwsKwquzOtvX
zUvlrofM3OAmfh7BoNmrX0LUfyEt2EZ/89GCAB8yOUdaZ2pJ7uxgisRaNT

### Generate Root Cert

This certificate will be used to sign "server certs"

![image.png](attachment:a8fc701b-8373-4d0e-90cb-c722eeb0b1b0.png)

In [5]:
ca_subject = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Illinois"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, "Chicago"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Chipy"),
    x509.NameAttribute(NameOID.COMMON_NAME, "myroot.com"),
])

In [6]:
# Self sign
issuer = ca_subject

In [7]:
ca_crt = x509.CertificateBuilder().subject_name(
    ca_subject
).issuer_name(
    issuer
).public_key(
    ca_key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
    x509.BasicConstraints(ca=True, path_length=None), 
    critical=True
).sign(ca_key, hashes.SHA256(), default_backend())

In [8]:
ca_crt_pem = ca_crt.public_bytes(serialization.Encoding.PEM).decode('utf-8')

In [9]:
# print(ca_crt_pem)

## Server Setup

Generate:
- Server Private Key
- Server Certificate Signing Request (CSR)

### Generate Server Private Key

![image.png](attachment:f8b352ee-d6fa-405c-906f-f68767f5c027.png)

In [10]:
server_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=4096,
    backend=default_backend(),
)

In [11]:
server_key_pem = server_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()).decode('utf-8')

### Generate Server Certificate Signing Request (CSR)

![image.png](attachment:4264c4e9-1f5d-4627-9a80-c8c880a7a2a7.png)

In [12]:
server_csr_subject = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Illinois"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, "Chicago"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Chipy"),
    x509.NameAttribute(NameOID.COMMON_NAME, "chipy.org"),
])

server_csr = x509.CertificateSigningRequestBuilder(
).subject_name(
    server_csr_subject
).add_extension(
    x509.SubjectAlternativeName([
        x509.DNSName("www.chipy.org"), 
        x509.DNSName("chipy.org")]), 
    critical=True
).add_extension(
    x509.BasicConstraints(ca=False, path_length=None),
    critical=True,
).sign(
    server_key, hashes.SHA256(), default_backend()
)

In [13]:
server_csr_pem = server_csr.public_bytes(
    encoding=serialization.Encoding.PEM,
).decode('utf-8')

In [14]:
print(server_csr_pem)

-----BEGIN CERTIFICATE REQUEST-----
MIIE4jCCAsoCAQAwVjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAw
DgYDVQQHDAdDaGljYWdvMQ4wDAYDVQQKDAVDaGlweTESMBAGA1UEAwwJY2hpcHku
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp3ZYPH7Wi5CStoOW
HMYOyQzjrUlEuRd/CXFX/m0nCb7ZytFbhw9u5Hp9SEOlCquvpEl+GuYG74YaTGjJ
E9dlZGtcsmFYxvq/wdzMn2PwthuGIKc3KGbgGN3VQRTo+bek8e0RSRjfrx7s9qtm
/82+0Au/fgxBu5Pt8urGr615QAtyQECvUEfbrSFZd85wfrtku0yLECblGNDK/knP
NJfRqFQoKNssFinfTZtVT8Pu2eTv0/IczJML5ETHDH02BI9uKDrdv5Mku0hurjO6
lNpf2mVFFV6Jr1GN3zPcXOPiNgftHWT8j4T3VhlR+CK0Ceolkqx4uIs66hdck8/3
bva941EPZOO3BWJwDTrZM1nBTEEaDI83advI9B+Mpg1L0pyMojFkszK/OYB/LNlH
E0IIcyUfEdHda2ecIlUnQK06rSCOGmI52iJrt6vPZpyTM+fVewgb8wS9ZiLA0l/P
3Y4rBqjErDoIRoTE2BE6wu+pjlpf9VdqDCLlYy9w/B1IKvY21fnedzucjLHt08rH
RyQ+Hu83SfvkgorV9W/uhlmu0zQxXOJ/Fz0Yy4AcjSWqZJHu5MnKrcFUoEAJF4xo
PS6bni6mqkfA1z96Eo2Slcpq2sb4ImxXhJ0weqE4cVr2gdv5EJe+qKOkTDxxbMkQ
G5DgxGtLBIbvIPK9k4gsP88AKJkCAwEAAaBHMEUGCSqGSIb3DQEJDjE4MDYwJgYD
VR0RAQH/BBwwGoINd3d3LmNoaXB5Lm9yZ4IJY2hpcHkub3JnMAwGA1

In [16]:
# write out the csr
with open("tls2/server_csr.pem", "w") as f:
    f.write(server_csr_pem)

### Generate Server Certificate

Send the CSR to the Root CA

![image.png](attachment:b2d421d9-327a-4782-b127-56814207e460.png)

The Root CA will use the **Server CSR** (containing Server Public Key), the **Root Private Key**, and the **Root Cert** to generate a **Server Certificate**

![image.png](attachment:29a47e01-d1ab-4d0f-ba9c-a869c9f76256.png)

In [17]:
# on the server, read in the csr
server_csr = x509.load_pem_x509_csr(
    open("tls2/server_csr.pem").read().encode(),
    default_backend(),
)

In [18]:
server_subject = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Illinois"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, "Chicago"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Chipy"),
    x509.NameAttribute(NameOID.COMMON_NAME, "chipy.org"),
])

In [19]:
server_crt = x509.CertificateBuilder().subject_name(
    server_subject
).issuer_name(
    ca_crt.issuer
).public_key(
    server_csr.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
    x509.SubjectAlternativeName([
        x509.DNSName("www.chipy.org"), 
        x509.DNSName("chipy.org")]),
    critical=False
).sign(ca_key, hashes.SHA256(), default_backend())

In [20]:
server_crt_pem = server_crt.public_bytes(
    serialization.Encoding.PEM).decode('utf-8')

In [21]:
print("Subject: ", server_subject)
print("Serial Number: ", server_crt.serial_number)
print("Issuer: ", server_crt.issuer)
print("Extensions: ", server_crt.extensions)

Subject:  <Name(C=US,ST=Illinois,L=Chicago,O=Chipy,CN=chipy.org)>
Serial Number:  723817142572181388919266965028146052915645252557
Issuer:  <Name(C=US,ST=Illinois,L=Chicago,O=Chipy,CN=myroot.com)>
Extensions:  <Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)>, critical=False, value=<SubjectAlternativeName(<GeneralNames([<DNSName(value='www.chipy.org')>, <DNSName(value='chipy.org')>])>)>)>])>


In [22]:
print(server_crt_pem)

-----BEGIN CERTIFICATE-----
MIIFYjCCA0qgAwIBAgIUfskVTU4I7TwT2aq2sHoOSf2CA80wDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCElsbGlub2lzMRAwDgYDVQQHDAdD
aGljYWdvMQ4wDAYDVQQKDAVDaGlweTETMBEGA1UEAwwKbXlyb290LmNvbTAeFw0y
MjAxMTMwNTAzNDlaFw0yMzAxMTMwNTAzNDlaMFYxCzAJBgNVBAYTAlVTMREwDwYD
VQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEOMAwGA1UECgwFQ2hpcHkx
EjAQBgNVBAMMCWNoaXB5Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAKd2WDx+1ouQkraDlhzGDskM461JRLkXfwlxV/5tJwm+2crRW4cPbuR6fUhD
pQqrr6RJfhrmBu+GGkxoyRPXZWRrXLJhWMb6v8HczJ9j8LYbhiCnNyhm4Bjd1UEU
6Pm3pPHtEUkY368e7ParZv/NvtALv34MQbuT7fLqxq+teUALckBAr1BH260hWXfO
cH67ZLtMixAm5RjQyv5JzzSX0ahUKCjbLBYp302bVU/D7tnk79PyHMyTC+RExwx9
NgSPbig63b+TJLtIbq4zupTaX9plRRVeia9Rjd8z3Fzj4jYH7R1k/I+E91YZUfgi
tAnqJZKseLiLOuoXXJPP9272veNRD2TjtwVicA062TNZwUxBGgyPN2nbyPQfjKYN
S9KcjKIxZLMyvzmAfyzZRxNCCHMlHxHR3WtnnCJVJ0CtOq0gjhpiOdoia7erz2ac
kzPn1XsIG/MEvWYiwNJfz92OKwaoxKw6CEaExNgROsLvqY5aX/VXagwi5WMvcPwd
SCr2NtX53nc7nIyx7dPKx0ckPh7vN0n75IKK1fVv7oZZrtM0MVzifxc9GMuAHI

The CA Sends the Server Certificate back (for installation on the server)

![image.png](attachment:c8180ab6-cb25-4f48-9f34-b2cfd35f5c00.png)

In [None]:
server_crt = x509.CertificateBuilder().subject_name(
    server_subject
).issuer_name(
    ca_crt.issuer
).public_key(
    server_key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName("www.chipy.org"), x509.DNSName("chipy.org")]),
    critical=False
).sign(ca_key, hashes.SHA256(), default_backend())

In [None]:
server_crt_pem = server_crt.public_bytes(serialization.Encoding.PEM).decode('utf-8')

In [None]:
print(server_crt_pem)