From 88e2b313a37ae0a83413c1e57e917f46586a9522 Mon Sep 17 00:00:00 2001 From: TuxCoder Date: Sun, 10 May 2020 15:31:35 +0200 Subject: [PATCH] add crl and ocsp url to certs --- lenticular_cloud/pki.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lenticular_cloud/pki.py b/lenticular_cloud/pki.py index a2ca9a1..1acfc2b 100644 --- a/lenticular_cloud/pki.py +++ b/lenticular_cloud/pki.py @@ -203,6 +203,23 @@ class Pki(object): add_extension( x509.SubjectKeyIdentifier.from_public_key(ca_public_key), critical=False).\ + add_extension( + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier(f'http://crl.{self._domain}/{ca_name}.crl')], + relative_name=None, crl_issuer=None, reasons=None) + ]), + critical=False).\ + add_extension( + x509.AuthorityInformationAccess([ + x509.AccessDescription( + access_method=x509.AuthorityInformationAccessOID.CA_ISSUERS, + access_location=x509.UniformResourceIdentifier(f'https://www.{self._domain}')), + x509.AccessDescription( + access_method=x509.AuthorityInformationAccessOID.OCSP, + access_location=x509.UniformResourceIdentifier(f'http://ocsp.{self._domain}')) + ]), + critical=True).\ sign( private_key=ca_private_key, algorithm=hashes.SHA256(),