Skip to main content

Simple Certificate Authority for MITM proxies

Project description

Certificate Authority Certificate Maker Tools

https://travis-ci.org/ikreymer/certauth.svg?branch=master https://coveralls.io/repos/ikreymer/certauth/badge.svg?branch=master

This package provides a small library, built on top of pyOpenSSL, which allows for creating a custom certificate authority certificate, and genereating on-demand dynamic host certs using that CA certificate.

It is most useful for use with a man-in-the-middle HTTPS proxy, for example, for recording or replaying web content.

Trusting the CA created by this tool should be used with caution in a controlled setting to avoid security risks.

CertificateAuthority API

The CertificateAuthority class provides an interface to manage a root CA and generate dynamic host certificates suitable for use with the native Python ssl library as well as pyOpenSSL SSL module.

The class provides several options for storing the root CA and generated host CAs.

File-based Certificate Cache

ca = CertificateAuthority('My Custom CA', 'my-ca.pem', cert_cache='/tmp/certs')
cert, key, filename = ca.cert_for_host('example.com', include_cache_key=True)

In this configuration, the root CA is stored at my-ca.pem and dynamically generated certs are placed in /tmp/certs. The filename returned would be /tmp/certs/example.com.pem in this example.

This filename can then be used with the Python ssl.load_cert_chain(certfile) command.

Note that the dynamically created certs are never deleted by certauth, it remains up to the user to handle cleanup occasionally if desired.

In-memory Certificate Cache

ca = CertificateAuthority('My Custom CA', 'my-ca.pem', cert_cache=50)
cert, key = ca.cert_for_host('example.com')

This configuration stores the root CA at my-ca.pem but uses an in-memory certificate cache for dynamically created certs. These certs are stored in an LRU cache, configured to keep at most 50 certs.

The cert and key can then be used with OpenSSL.SSL.Context.use_certificate

context = SSl.Context(...)
context.use_privatekey(key)
context.use_certificate(cert)

Custom Cache

A custom cache implementations which stores and retrieves per-host certificates can also be provided:

ca = CertificateAuthority('My Custom CA', 'my-ca.pem', cert_cache=CustomCache())
cert, key = ca.cert_for_host('example.com')

class CustomCache:
    def __setitem__(self, host, cert_string):
       # store cert_string for host

    def get(self, host):
       # return cached cert_string, if available
       cert_string = ...
       return cert_string

Wildcard Certs

To reduce the number of certs generated, it is convenient to generate wildcard certs.

cert, key = ca.cert_for_host('example.com', wildcard=True)

This will generate a cert for *.example.com.

To automatically generate a wildcard cert for parent domain, use:

cert, key = ca.get_wildcard_cert('test.example.com')

This will also generate a cert for *.example.com

CLI Usage Examples

certauth also includes a simple command-line API for certificate creation and management.

usage: certauth [-h] [-c CERTNAME] [-n HOSTNAME] [-d CERTS_DIR] [-f] [-w]
              root_ca_cert

positional arguments:
  root_ca_cert          Path to existing or new root CA file

optional arguments:
  -h, --help            show this help message and exit
  -c CERTNAME, --certname CERTNAME
                      Name for root certificate
  -n HOSTNAME, --hostname HOSTNAME
                      Hostname certificate to create
  -d CERTS_DIR, --certs-dir CERTS_DIR
                      Directory for host certificates
  -f, --force           Overwrite certificates if they already exist
  -w, --wildcard_cert   add wildcard SAN to host: *.<host>, <host>

To create a new root CA certificate:

certauth myrootca.pem --certname "My Test CA"

To create a host certificate signed with CA certificate in directory certs_dir:

certauth myrootca.pem --hostname "example.com" -d ./certs_dir

If the root cert doesn’t exist, it’ll be created automatically. If certs_dir, doesn’t exist, it’ll be created automatically also.

The cert for example.com will be created as certs_dir/example.com.pem. If it already exists, it will not be overwritten (unless -f option is used).

The -w option can be used to create a wildcard cert which has subject alternate names (SAN) for example.com and *.example.com

History

The CertificateAuthority functionality has evolved from certificate management originally found in the man-in-the-middle proxy pymiproxy by Nadeem Douba.

It was also extended in warcprox by Noah Levitt of Internet Archive.

The CA functionality was also reused in pywb and finally factored out into this separate package for modularity.

It is now also used by wsgiprox to provide a generalized HTTPS proxy wrapper to any WSGI application.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

certauth-1.2.tar.gz (8.0 kB view details)

Uploaded Source

Built Distribution

certauth-1.2-py2.py3-none-any.whl (10.0 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file certauth-1.2.tar.gz.

File metadata

  • Download URL: certauth-1.2.tar.gz
  • Upload date:
  • Size: 8.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for certauth-1.2.tar.gz
Algorithm Hash digest
SHA256 66bc151d49fa75e2384b2cf26107e2fc453f13051d1952f3628ee33b6918d5cc
MD5 0b60046924ec8bee726bb85c1c9307bb
BLAKE2b-256 583621576d42f81c59e40d599924605268283a1d1d1e984774dee66750fea401

See more details on using hashes here.

File details

Details for the file certauth-1.2-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for certauth-1.2-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 6987fca6e4d30a634954e60fed6747a93c5715e87db60d233df9d798a15fe346
MD5 e37dac35ac5b6b10382b6279e8a42310
BLAKE2b-256 dfa0e43be41cc219fed7adfd65e17e8a443e1212d27be151e8a77dfa14f5e6f9

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page