/usr/share/doc/ganeti/html/design-x509-ca.html is in ganeti-doc 2.16.0~rc2-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Design for a X509 Certificate Authority — Ganeti 2.16.0~rc2 documentation</title>
<link rel="stylesheet" href="_static/style.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '2.16.0~rc2',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Design for replacing Ganeti’s HTTP server" href="design-http-server.html" />
<link rel="prev" title="Design document drafts" href="design-draft.html" />
</head>
<body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="design-http-server.html" title="Design for replacing Ganeti’s HTTP server"
accesskey="N">next</a></li>
<li class="right" >
<a href="design-draft.html" title="Design document drafts"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="design-draft.html" accesskey="U">Design document drafts</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="design-for-a-x509-certificate-authority">
<h1><a class="toc-backref" href="#id1">Design for a X509 Certificate Authority</a><a class="headerlink" href="#design-for-a-x509-certificate-authority" title="Permalink to this headline">¶</a></h1>
<table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Created:</th><td class="field-body">2011-Mar-23</td>
</tr>
<tr class="field-even field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
</tr>
</tbody>
</table>
<div class="contents topic" id="contents">
<p class="topic-title first">Contents</p>
<ul class="simple">
<li><a class="reference internal" href="#design-for-a-x509-certificate-authority" id="id1">Design for a X509 Certificate Authority</a><ul>
<li><a class="reference internal" href="#current-state-and-shortcomings" id="id2">Current state and shortcomings</a></li>
<li><a class="reference internal" href="#proposed-changes" id="id3">Proposed changes</a></li>
<li><a class="reference internal" href="#software-requirements" id="id4">Software requirements</a></li>
<li><a class="reference internal" href="#code-samples" id="id5">Code samples</a><ul>
<li><a class="reference internal" href="#generating-x509-ca-using-pyopenssl" id="id6">Generating X509 CA using pyOpenSSL</a></li>
<li><a class="reference internal" href="#signing-x509-certificate-using-ca" id="id7">Signing X509 certificate using CA</a></li>
<li><a class="reference internal" href="#how-to-generate-certificate-signing-request" id="id8">How to generate Certificate Signing Request</a></li>
<li><a class="reference internal" href="#x509-certificate-from-certificate-signing-request" id="id9">X509 certificate from Certificate Signing Request</a></li>
<li><a class="reference internal" href="#verify-whether-x509-certificate-matches-private-key" id="id10">Verify whether X509 certificate matches private key</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="section" id="current-state-and-shortcomings">
<h2><a class="toc-backref" href="#id2">Current state and shortcomings</a><a class="headerlink" href="#current-state-and-shortcomings" title="Permalink to this headline">¶</a></h2>
<p>Import/export in Ganeti have a need for many unique X509 certificates.
So far these were all self-signed, but with the <a class="reference internal" href="design-impexp2.html"><span class="doc">new design for
import/export</span></a> they need to be signed by a Certificate
Authority (CA).</p>
</div>
<div class="section" id="proposed-changes">
<h2><a class="toc-backref" href="#id3">Proposed changes</a><a class="headerlink" href="#proposed-changes" title="Permalink to this headline">¶</a></h2>
<p>The plan is to implement a simple CA in Ganeti.</p>
<p>Interacting with an external CA is too difficult or impossible for
automated processes like exporting instances, so each Ganeti cluster
will have its own CA. The public key will be stored in
<code class="docutils literal"><span class="pre">…/lib/ganeti/ca/cert.pem</span></code>, the private key (only readable by the
master daemon) in <code class="docutils literal"><span class="pre">…/lib/ganeti/ca/key.pem</span></code>.</p>
<p>Similar to the RAPI certificate, a new CA certificate can be installed
using the <code class="docutils literal"><span class="pre">gnt-cluster</span> <span class="pre">renew-crypto</span></code> command. Such a CA could be an
intermediate of a third-party CA. By default a self-signed CA is
generated and used.</p>
<p id="x509-ca-serial">Each certificate signed by the CA is required to have a unique serial
number. The serial number is stored in the file
<code class="docutils literal"><span class="pre">…/lib/ganeti/ca/serial</span></code>, replicated to all master candidates and
never reset, even when a new CA is installed.</p>
<p>The threat model is expected to be the same as with self-signed
certificates. To reinforce this, all certificates signed by the CA must
be valid for less than one week (168 hours).</p>
<p>Implementing support for Certificate Revocation Lists (CRL) using
OpenSSL is non-trivial. Lighttpd doesn’t support them at all and
<a class="reference external" href="http://redmine.lighttpd.net/issues/2278">apparently never will in version 1.4.x</a>. Some CRL-related parts have
only been added in the most recent version of pyOpenSSL (0.11). Instead
of a CRL, Ganeti will gain a new cluster configuration property defining
the minimum accepted serial number. In case of a lost or compromised
private key this property can be set to the most recently generated
serial number.</p>
<p>While possible to implement in the future, other X509 certificates used
by the cluster (e.g. RAPI or inter-node communication) will not be
automatically signed by the per-cluster CA.</p>
<p>The <code class="docutils literal"><span class="pre">commonName</span></code> attribute of signed certificates must be set to the
the cluster name or the name of a node in the cluster.</p>
</div>
<div class="section" id="software-requirements">
<h2><a class="toc-backref" href="#id4">Software requirements</a><a class="headerlink" href="#software-requirements" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>pyOpenSSL 0.10 or above (lower versions can’t set the X509v3 extension
<code class="docutils literal"><span class="pre">subjectKeyIdentifier</span></code> recommended for certificate authority
certificates by <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3280.html"><strong>RFC 3280</strong></a>, section 4.2.1.2)</li>
</ul>
</div>
<div class="section" id="code-samples">
<h2><a class="toc-backref" href="#id5">Code samples</a><a class="headerlink" href="#code-samples" title="Permalink to this headline">¶</a></h2>
<div class="section" id="generating-x509-ca-using-pyopenssl">
<h3><a class="toc-backref" href="#id6">Generating X509 CA using pyOpenSSL</a><a class="headerlink" href="#generating-x509-ca-using-pyopenssl" title="Permalink to this headline">¶</a></h3>
<p>The following code sample shows how to generate a CA certificate using
pyOpenSSL:</p>
<div class="highlight-python"><div class="highlight"><pre><span></span><span class="n">key</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">PKey</span><span class="p">()</span>
<span class="n">key</span><span class="o">.</span><span class="n">generate_key</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">TYPE_RSA</span><span class="p">,</span> <span class="mi">2048</span><span class="p">)</span>
<span class="n">ca</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509</span><span class="p">()</span>
<span class="n">ca</span><span class="o">.</span><span class="n">set_version</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span>
<span class="n">ca</span><span class="o">.</span><span class="n">set_serial_number</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">ca</span><span class="o">.</span><span class="n">get_subject</span><span class="p">()</span><span class="o">.</span><span class="n">CN</span> <span class="o">=</span> <span class="s2">"ca.example.com"</span>
<span class="n">ca</span><span class="o">.</span><span class="n">gmtime_adj_notBefore</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="n">ca</span><span class="o">.</span><span class="n">gmtime_adj_notAfter</span><span class="p">(</span><span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span>
<span class="n">ca</span><span class="o">.</span><span class="n">set_issuer</span><span class="p">(</span><span class="n">ca</span><span class="o">.</span><span class="n">get_subject</span><span class="p">())</span>
<span class="n">ca</span><span class="o">.</span><span class="n">set_pubkey</span><span class="p">(</span><span class="n">key</span><span class="p">)</span>
<span class="n">ca</span><span class="o">.</span><span class="n">add_extensions</span><span class="p">([</span>
<span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509Extension</span><span class="p">(</span><span class="s2">"basicConstraints"</span><span class="p">,</span> <span class="bp">True</span><span class="p">,</span>
<span class="s2">"CA:TRUE, pathlen:0"</span><span class="p">),</span>
<span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509Extension</span><span class="p">(</span><span class="s2">"keyUsage"</span><span class="p">,</span> <span class="bp">True</span><span class="p">,</span>
<span class="s2">"keyCertSign, cRLSign"</span><span class="p">),</span>
<span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509Extension</span><span class="p">(</span><span class="s2">"subjectKeyIdentifier"</span><span class="p">,</span> <span class="bp">False</span><span class="p">,</span> <span class="s2">"hash"</span><span class="p">,</span>
<span class="n">subject</span><span class="o">=</span><span class="n">ca</span><span class="p">),</span>
<span class="p">])</span>
<span class="n">ca</span><span class="o">.</span><span class="n">sign</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="s2">"sha1"</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="signing-x509-certificate-using-ca">
<h3><a class="toc-backref" href="#id7">Signing X509 certificate using CA</a><a class="headerlink" href="#signing-x509-certificate-using-ca" title="Permalink to this headline">¶</a></h3>
<p>The following code sample shows how to sign an X509 certificate using a
CA:</p>
<div class="highlight-python"><div class="highlight"><pre><span></span><span class="n">ca_cert</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">load_certificate</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span>
<span class="s2">"ca.pem"</span><span class="p">)</span>
<span class="n">ca_key</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">load_privatekey</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span>
<span class="s2">"ca.pem"</span><span class="p">)</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">PKey</span><span class="p">()</span>
<span class="n">key</span><span class="o">.</span><span class="n">generate_key</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">TYPE_RSA</span><span class="p">,</span> <span class="mi">2048</span><span class="p">)</span>
<span class="n">cert</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509</span><span class="p">()</span>
<span class="n">cert</span><span class="o">.</span><span class="n">get_subject</span><span class="p">()</span><span class="o">.</span><span class="n">CN</span> <span class="o">=</span> <span class="s2">"node1.example.com"</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_serial_number</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">gmtime_adj_notBefore</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">gmtime_adj_notAfter</span><span class="p">(</span><span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_issuer</span><span class="p">(</span><span class="n">ca_cert</span><span class="o">.</span><span class="n">get_subject</span><span class="p">())</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_pubkey</span><span class="p">(</span><span class="n">key</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">sign</span><span class="p">(</span><span class="n">ca_key</span><span class="p">,</span> <span class="s2">"sha1"</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="how-to-generate-certificate-signing-request">
<h3><a class="toc-backref" href="#id8">How to generate Certificate Signing Request</a><a class="headerlink" href="#how-to-generate-certificate-signing-request" title="Permalink to this headline">¶</a></h3>
<p>The following code sample shows how to generate an X509 Certificate
Request (CSR):</p>
<div class="highlight-python"><div class="highlight"><pre><span></span><span class="n">key</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">PKey</span><span class="p">()</span>
<span class="n">key</span><span class="o">.</span><span class="n">generate_key</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">TYPE_RSA</span><span class="p">,</span> <span class="mi">2048</span><span class="p">)</span>
<span class="n">req</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509Req</span><span class="p">()</span>
<span class="n">req</span><span class="o">.</span><span class="n">get_subject</span><span class="p">()</span><span class="o">.</span><span class="n">CN</span> <span class="o">=</span> <span class="s2">"node1.example.com"</span>
<span class="n">req</span><span class="o">.</span><span class="n">set_pubkey</span><span class="p">(</span><span class="n">key</span><span class="p">)</span>
<span class="n">req</span><span class="o">.</span><span class="n">sign</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="s2">"sha1"</span><span class="p">)</span>
<span class="c1"># Write private key</span>
<span class="k">print</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">dump_privatekey</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span>
<span class="c1"># Write request</span>
<span class="k">print</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">dump_certificate_request</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="x509-certificate-from-certificate-signing-request">
<h3><a class="toc-backref" href="#id9">X509 certificate from Certificate Signing Request</a><a class="headerlink" href="#x509-certificate-from-certificate-signing-request" title="Permalink to this headline">¶</a></h3>
<p>The following code sample shows how to create an X509 certificate from a
Certificate Signing Request and sign it with a CA:</p>
<div class="highlight-python"><div class="highlight"><pre><span></span><span class="n">ca_cert</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">load_certificate</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span>
<span class="s2">"ca.pem"</span><span class="p">)</span>
<span class="n">ca_key</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">load_privatekey</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span>
<span class="s2">"ca.pem"</span><span class="p">)</span>
<span class="n">req</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">load_certificate_request</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span>
<span class="nb">open</span><span class="p">(</span><span class="s2">"req.csr"</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">())</span>
<span class="n">cert</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">X509</span><span class="p">()</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_subject</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">get_subject</span><span class="p">())</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_serial_number</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">gmtime_adj_notBefore</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">gmtime_adj_notAfter</span><span class="p">(</span><span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_issuer</span><span class="p">(</span><span class="n">ca_cert</span><span class="o">.</span><span class="n">get_subject</span><span class="p">())</span>
<span class="n">cert</span><span class="o">.</span><span class="n">set_pubkey</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">get_pubkey</span><span class="p">())</span>
<span class="n">cert</span><span class="o">.</span><span class="n">sign</span><span class="p">(</span><span class="n">ca_key</span><span class="p">,</span> <span class="s2">"sha1"</span><span class="p">)</span>
<span class="k">print</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">dump_certificate</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">crypto</span><span class="o">.</span><span class="n">FILETYPE_PEM</span><span class="p">,</span> <span class="n">cert</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="verify-whether-x509-certificate-matches-private-key">
<h3><a class="toc-backref" href="#id10">Verify whether X509 certificate matches private key</a><a class="headerlink" href="#verify-whether-x509-certificate-matches-private-key" title="Permalink to this headline">¶</a></h3>
<p>The code sample below shows how to check whether a certificate matches
with a certain private key. OpenSSL has a function for this,
<code class="docutils literal"><span class="pre">X509_check_private_key</span></code>, but pyOpenSSL provides no access to it.</p>
<div class="highlight-python"><div class="highlight"><pre><span></span><span class="n">ctx</span> <span class="o">=</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">SSL</span><span class="o">.</span><span class="n">Context</span><span class="p">(</span><span class="n">OpenSSL</span><span class="o">.</span><span class="n">SSL</span><span class="o">.</span><span class="n">TLSv1_METHOD</span><span class="p">)</span>
<span class="n">ctx</span><span class="o">.</span><span class="n">use_privatekey</span><span class="p">(</span><span class="n">key</span><span class="p">)</span>
<span class="n">ctx</span><span class="o">.</span><span class="n">use_certificate</span><span class="p">(</span><span class="n">cert</span><span class="p">)</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">ctx</span><span class="o">.</span><span class="n">check_privatekey</span><span class="p">()</span>
<span class="k">except</span> <span class="n">OpenSSL</span><span class="o">.</span><span class="n">SSL</span><span class="o">.</span><span class="n">Error</span><span class="p">:</span>
<span class="k">print</span> <span class="s2">"Incorrect key"</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">print</span> <span class="s2">"Key matches certificate"</span>
</pre></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Design for a X509 Certificate Authority</a><ul>
<li><a class="reference internal" href="#current-state-and-shortcomings">Current state and shortcomings</a></li>
<li><a class="reference internal" href="#proposed-changes">Proposed changes</a></li>
<li><a class="reference internal" href="#software-requirements">Software requirements</a></li>
<li><a class="reference internal" href="#code-samples">Code samples</a><ul>
<li><a class="reference internal" href="#generating-x509-ca-using-pyopenssl">Generating X509 CA using pyOpenSSL</a></li>
<li><a class="reference internal" href="#signing-x509-certificate-using-ca">Signing X509 certificate using CA</a></li>
<li><a class="reference internal" href="#how-to-generate-certificate-signing-request">How to generate Certificate Signing Request</a></li>
<li><a class="reference internal" href="#x509-certificate-from-certificate-signing-request">X509 certificate from Certificate Signing Request</a></li>
<li><a class="reference internal" href="#verify-whether-x509-certificate-matches-private-key">Verify whether X509 certificate matches private key</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="design-draft.html"
title="previous chapter">Design document drafts</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="design-http-server.html"
title="next chapter">Design for replacing Ganeti’s HTTP server</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/design-x509-ca.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="design-http-server.html" title="Design for replacing Ganeti’s HTTP server"
>next</a></li>
<li class="right" >
<a href="design-draft.html" title="Design document drafts"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="design-draft.html" >Design document drafts</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2018, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Google Inc..
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
</div>
</body>
</html>
|