What is the difference between these two key files?
For key1.pem
, I am using WSL and OpenSSL. First I generate the an RSA private key used for signing with this exact command:
openssl genrsa -aes256 -out private.key 1024
Then I create a certificate and private key using this command:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout key1.pem -out cert1.pem -config config.cnf
The config file looks like this:
[req]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = US
stateOrProvinceName = AL
localityName = City
organizationName = Org
commonName = testing.local
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = testing.local
DNS.2 = testing2.local
IP.1 = 192.168.1.1
IP.2 = 192.168.1.2
When I use this certificate and key on my device, everything works fine. But the problem is I am trying to move to generating these files with Python (pyOpenSSL) and when I use the cert and key files that are generated from my python script, it doesn't work, and I need to know what I'm getting wrong or missing in the Python version. So for key2.pem
, this is how it is generated:
# create a key pair
private_key = crypto.PKey()
private_key.generate_key(crypto.TYPE_RSA, RSA_KEY_SIZE)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = data["C"]
cert.get_subject().ST = data["ST"]
cert.get_subject().L = data["L"]
cert.get_subject().O = data["O"]
cert.get_subject().OU = data["OU"]
cert.get_subject().CN = data["CN"]
cert.get_subject().emailAddress = data["emailAddress"]
cert.add_extensions(
[
OpenSSL.crypto.X509Extension(
b"subjectAltName",
data["isCritical"],
b", ".join(data["extensions"])
)
])
cert.set_serial_number(data["serial"])
cert.gmtime_adj_notBefore(NOT_BEFORE)
cert.gmtime_adj_notAfter(NOT_AFTER)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(private_key)
cert.sign(private_key, HASH_ALGO)
with open(CERT_FILE_NAME, "wt") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"))
with open(PKEY_FILE_NAME, "wt") as f:
f.write(crypto.dump_privatekey(
crypto.FILETYPE_PEM,
private_key,
passphrase=b"pass"
).decode("utf-8"))
Do you see anything that the python script is doing differently than the openssl command is?
One difference that I'm not even sure matters is that when I use WSL with OpeSSL, it outputs the private key, then the certificate and key, so I have three files total. When I do the python version, it's only the latter cert and key files. These are the only two files that go onto my device. The formatting/encoding of the key file looks good.