[Swan-dev] generating x509 certificates

Antony Antony antony at phenome.org
Wed Feb 4 18:43:18 EET 2015

On Wed, Feb 04, 2015 at 11:02:53AM -0500, Matt Rogers wrote:
> Using pyOpenSSL served to be a lot better for our need than the openssl
> commands, of course, and will make it easier to cover more of the
> certificate code than before. Plus I like writing python a lot more than
> bash :)

I agree, as a small step, I just added pyOpenSSL to .ks Dockerfile and the web page. Hugh and Paul you guys may want to install pyOpenSSL manually on your host before this change hits mainstream. Otherwise make check will break for you.

> Note that dist_certs.py is only intended to create the certificate batch,
> and any of the NSS db creation, importing, etc. that is needed for a
> individual test is handled by swan-prep with the --x509 option. 

As I recollect there was an issue with "swan-prep --x509" and CA import. The pyOpenSSL + CN + swan-prep did not play well. I forgot to chase Matt to understand this and fix it. I am proponent of python based script.. Where are we with this. I am happy to change swan-prep.

On Fri, Nov 21, 2014 at 04:31:26PM -0500, Matt Rogers wrote:

"I expect that running x509 tests with the dist_certs.py set will need some
minor output adjustments. For example, the NSS db nickname of the root CA when
comes out of the p12 file will change to its CN from "mainca" or whatever. The
pyOpenSSL methods to create a p12 wouldn't let me change that. So any certutil
-L outputs will change some."

More information about the Swan-dev mailing list