Certificate revocation with python cryptography

问题

I'm trying to make a certificate revocation list using the python cryptography library. So far I haven't been successful. I am able to generate the certificates with the same library. The certificates work because I am able to use them for a connection with MQTT. The problem is when I try to revoke one of the certificates. Then no connection works and I receive an error:

It would be nice if someone tell me what I am doing wrong.

Thanks in advance.

This is my code:

# THIS CERTIFICATE I WANT TO REVOKE
cert_to_revoke_data = open("openssl/client2.crt","rb").read() 

cert_to_revoke = x509.load_pem_x509_certificate(cert_to_revoke_data,
\backend=default_backend())

pem_cert = open("openssl/ca.crt","rb").read()          # MY CA CERT
ca_crt = x509.load_pem_x509_certificate(pem_cert, default_backend())

pem_key = open("openssl/ca.key","rb").read()           # MY CA KEY
ca_key = serialization.load_pem_private_key(pem_key,\
 password=b"test", backend=default_backend())

pem_crl_data = open("openssl/ca.crl","rb").read()   # READ MY EMPTY CRL

crl = x509.load_pem_x509_crl(pem_crl_data, backend=default_backend())
#isinstance(crl.signature_hash_algorithm, hashes.SHA256)

builder = x509.CertificateRevocationListBuilder()
builder = builder.last_update(datetime.datetime.now())
builder = builder.next_update(datetime.datetime.now()\
 + datetime.timedelta(1, 0, 0))

builder = builder.issuer_name(ca_crt.issuer)

revoked_cert = x509.RevokedCertificateBuilder()\
.serial_number(cert_to_revoke.serial_number)\
.revocation_date(datetime.datetime.now())\
.build(backend=default_backend()) # ADD SERIAL NUMBER OF
                                  # CERTIFICATE I WANT TO REVOKE

builder = builder.add_revoked_certificate(revoked_cert)

cert_revocation_list = builder.sign(private_key=ca_key,algorithm=hashes.SHA256()\
,backend=default_backend()) # SIGN NEW CRL

# SAVE CRL FILE
with open("openssl/ca.crl","wb") as f:
    f.write(cert_revocation_list.public_bytes(serialization.Encoding.PEM))

EDIT

Here is a detailed example of how to use cryptography:github

来源：https://stackoverflow.com/questions/64736890/certificate-revocation-with-python-cryptography

标签

python

OpenSSL

cryptography

certificate-revocation