add crl and ocsp url to certs

This commit is contained in:
TuxCoder 2020-05-10 15:31:35 +02:00
parent 9517e173d9
commit 88e2b313a3

View file

@ -203,6 +203,23 @@ class Pki(object):
add_extension( add_extension(
x509.SubjectKeyIdentifier.from_public_key(ca_public_key), x509.SubjectKeyIdentifier.from_public_key(ca_public_key),
critical=False).\ critical=False).\
add_extension(
x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[x509.UniformResourceIdentifier(f'http://crl.{self._domain}/{ca_name}.crl')],
relative_name=None, crl_issuer=None, reasons=None)
]),
critical=False).\
add_extension(
x509.AuthorityInformationAccess([
x509.AccessDescription(
access_method=x509.AuthorityInformationAccessOID.CA_ISSUERS,
access_location=x509.UniformResourceIdentifier(f'https://www.{self._domain}')),
x509.AccessDescription(
access_method=x509.AuthorityInformationAccessOID.OCSP,
access_location=x509.UniformResourceIdentifier(f'http://ocsp.{self._domain}'))
]),
critical=True).\
sign( sign(
private_key=ca_private_key, private_key=ca_private_key,
algorithm=hashes.SHA256(), algorithm=hashes.SHA256(),