Chapter 6 ■ tLS/SSL
96
The certs directory also contains several certificates used in the network playground itself (see Chapter 1),
several of which you will use at the command line in this chapter’s examples. The ca.crt certificate, which is a small
self-contained certificate authority that you will tell Python to trust when using the other certificates with TLS, has
signed all of the other certificates.
In brief, certificate creation generally begins with two pieces of information—one human-generated and the
other machine-generated. These are, respectively, a textual description of the entity described by the certificate and
a private key that has been carefully produced using sources of true randomness provided by the operating system.
I usually save the handwritten identity description to a version-controlled file for later reference; however, some
administrators simply type the fields into openssl when prompted for them. As one example, Listing 6-1 shows the
http://www.cnf file used to generate the certificate for the network playground’s http://www.example.com web server.
Listing 6-1. Configuration for an X.509 Certificate for Use by the OpenSSL Command Line
[ req ]
prompt = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = us
stateOrProvinceName = New York
localityName = New York
0.organizationName = Example from Apress Media LLC
organizationalUnitName = Foundations of Python Network Programming 3rd Ed
commonName = http://www.example.com
emailAddress = [email protected]
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
Remember that the commonName and any subjectAltName entries (not present in this example) are the crucial
fields that TLS will compare to the hostname to determine whether it is talking to the correct host.
Experts have several opinions today regarding the proper length and type for a private key backing up a
certificate, with some administrators opting for RSA and others preferring Diffie-Hellman. Without entering that
debate, here is a sample command line for creating an RSA key at what is currently considered a quite respectable key
length:
$ openssl genrsa -out http://www.key 4096
Generating RSA private key, 4096 bit long modulus
................................................................................
.............++
.............++
e is 65537 (0x10001)
With these two pieces in place, the administrator is ready to create a certificate-signing request (CSR) for
submission to a certificate authority—whether the administrator’s own or one belonging to a third party.