Skip to content

declearn.test_utils.generate_ssl_certificates

Generate a self-signed CA and a CA-signed SSL certificate.

This function is intended to be used for testing and/or in demonstration contexts, whereas real-life applications are expected to use certificates signed by a trusted CA.

This functions orchestrates calls to the system's openssl command in order to generate and self-sign SSL certificate and private-key files that may be used to encrypt network communications, notably for declearn.

More precisely, it generates: - a self-signed root certificate authority (CA) - a server certificate signed by the former CA

Parameters:

Name Type Description Default
folder str

Path to the folder where to create the intermediate and final certificate and key PEM files.

'.'
c_name str

Main domain name or IP for which the certificate is created.

'localhost'
password Optional[str]

Optional password used to encrypt generated private keys.

None
alt_ips Optional[Collection[str]]

Optional list of additional IP addresses to certify. This is only implemented for OpenSSL >= 3.0.

None
alt_dns Optional[Collection[str]]

Optional list of additional domain names to certify. This is only implemented for OpenSSL >= 3.0.

None

Returns:

Name Type Description
ca_cert str

Path to the client-required CA certificate PEM file.

sv_cert str

Path to the server's certificate PEM file.

sv_pkey str

Path to the server's private key PEM file.

Source code in declearn/test_utils/_gen_ssl.py
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
def generate_ssl_certificates(
    folder: str = ".",
    c_name: str = "localhost",
    password: Optional[str] = None,
    alt_ips: Optional[Collection[str]] = None,
    alt_dns: Optional[Collection[str]] = None,
) -> Tuple[str, str, str]:
    """Generate a self-signed CA and a CA-signed SSL certificate.

    This function is intended to be used for testing and/or in
    demonstration contexts, whereas real-life applications are
    expected to use certificates signed by a trusted CA.

    This functions orchestrates calls to the system's `openssl`
    command in order to generate and self-sign SSL certificate
    and private-key files that may be used to encrypt network
    communications, notably for declearn.

    More precisely, it generates:
    - a self-signed root certificate authority (CA)
    - a server certificate signed by the former CA

    Parameters
    ----------
    folder: str
        Path to the folder where to create the intermediate
        and final certificate and key PEM files.
    c_name: str
        Main domain name or IP for which the certificate is created.
    password: str or None, default=None
        Optional password used to encrypt generated private keys.
    alt_ips: collection[str] or None, default=None
        Optional list of additional IP addresses to certify.
        This is only implemented for OpenSSL >= 3.0.
    alt_dns: collection[str] or None, default=None
        Optional list of additional domain names to certify.
        This is only implemented for OpenSSL >= 3.0.

    Returns
    -------
    ca_cert: str
        Path to the client-required CA certificate PEM file.
    sv_cert: str
        Path to the server's certificate PEM file.
    sv_pkey: str
        Path to the server's private key PEM file.
    """
    try:
        proc = subprocess.run(
            ["openssl", "version"], check=True, capture_output=True
        )
    except (subprocess.CalledProcessError, FileNotFoundError) as exc:
        raise RuntimeError("Failed to parse openssl version.") from exc
    old = proc.stdout.decode().startswith("OpenSSL 1")
    if (alt_ips or alt_dns) and old:
        raise RuntimeError(
            "Cannot add subject alternative names with OpenSSL version <3.0."
        )
    # Generate a self-signed root CA.
    ca_cert, ca_pkey = gen_ssl_ca(folder, password)
    # Generate a server CSR and a private key.
    sv_csrq, sv_pkey = gen_ssl_csr(folder, c_name, alt_ips, alt_dns, password)
    # Sign the CSR into a server certificate using the root CA.
    sv_cert = gen_ssl_cert(folder, sv_csrq, ca_cert, ca_pkey, password, old)
    # Return paths that are used by declearn network-communication endpoints.
    return ca_cert, sv_cert, sv_pkey