In [1]:
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization

See https://cryptography.io/en/latest/x509/reference/#cryptography.x509.oid.NameOID.

Also, see https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateSigningRequestBuilder.

In [2]:
# Generate a CSR.
builder = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
    # Provide details about who we are.
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Alabama"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"Birmingham"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
])).add_extension(
    x509.SubjectAlternativeName([
        # Describe what sites we want this certificate for.
        x509.DNSName(u"mysite.com"),
        x509.DNSName(u"www.mysite.com"),
        x509.DNSName(u"subdomain.mysite.com"),
    ]),
    critical=False,
)

In [3]:
from cryptography.hazmat.primitives.serialization import load_pem_private_key

In [4]:
private_key = None
with open("key.pem", "rb") as key_file:
    private_key = load_pem_private_key(key_file.read(), password=b'passphrase')

In [5]:
# Sign the CSR with our private key.
csr = builder.sign(private_key, hashes.SHA256())

In [7]:
with open("csr.pem", "wb") as f:
    f.write(csr.public_bytes(serialization.Encoding.PEM))