Development¶

class django_ca.tests.base.DjangoCATestCase(methodName='runTest')[source]¶

Base class for all testcases with some enhancements.

assertBasic(cert, algo='SHA256')[source]¶: Assert some basic key properties.

assertCommandError(msg)[source]¶

Context manager asserting that CommandError is raised.

Parameters

msgstr: The regex matching the exception message.

assertHasExtension(cert, oid)[source]¶: Assert that the given cert has the passed extension.

assertHasNotExtension(cert, oid)[source]¶: Assert that the given cert does not have the passed extension.

assertParserError(args, expected)[source]¶: Assert that given args throw a parser error.

assertSerial(serial)[source]¶: Assert that the serial matches a basic regex pattern.

cmd(*args, **kwargs)[source]¶: Call to a manage.py command using call_command.

cmd_e2e(cmd, stdin=None, stdout=None, stderr=None)[source]¶

Call a management command the way manage.py does.

Unlike call_command, this method also tests the argparse configuration of the called command.

classmethod create_ca(name, **kwargs)[source]¶

Create a new CA.

Sets sane defaults for all required kwargs, so you only have to pass the name.

classmethod load_ca(name, x509, enabled=True, parent=None, **kwargs)[source]¶: Load a CA from one of the preloaded files.

settings(**kwargs)[source]¶: Decorator to temporarily override settings.

tmpcadir(**kwargs)[source]¶: Context manager to use a temporary CA dir.

Setup demo¶

You can set up a demo using fab init_demo. First create a minimal localsettings.py file (in ca/ca/localsettings.py):

DEBUG = True
SECRET_KEY = "whatever"

And then simply run fab init_demo from the root directory of your project.

Development webserver via SSL¶

To test a certificate in your webserver, first install the root certificate authority in your browser, then run stunnel4 and manage.py runserver in two separate shells:

$ stunnel4 .stunnel4.conf

There is also a second config file using a revoked certificate. If you use it, browsers will display an error.

$ stunnel4  .stunnel4-revoked.conf

You can now start your development webserver normally:

$ DJANGO_SETTINGS_MODULE=ca.demosettings python manage.py runserver

… and visit https://localhost:8443.

Run test-suite¶

To run the test-suite, simply execute:

python setup.py test

… or just run some of the tests:

python setup.py test --suite=tests_command_dump_crl

To generate a coverate report:

python setup.py coverage

Useful OpenSSL commands¶

Verification¶

Verify a certificate signed by a root CA (cert.crt could also be an intermediate CA):

openssl verify -CAfile ca.crt cert.crt

If you have an intermediate CA:

openssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crt

CRLs¶

Convert a CRL to text on stdout:

openssl crl -inform der -in sfsca.crl -noout -text

Convert a CRL to PEM to a file:

openssl crl -inform der -in sfsca.crl -outform pem -out test.pem

Verify a certificate using a CRL:

openssl verify -CAfile files/ca_crl.pem -crl_check cert.pem

OCSP¶

Run a OCSP responder:

openssl ocsp -index files/ocsp_index.txt -port 8888 \
   -rsigner files/localhost.pem -rkey files/localhost.key \
   -CA ca.pem -text

Verify a certificate using OCSP:

openssl ocsp -CAfile ca.pem -issuer ca.pem -cert cert.pem \
    -url http://localhost:8888 -resp_text

Conversion¶

Convert a PEM formatted public key to DER:

openssl x509 -in pub.pem -outform der -out pub.der

Convert a PEM formatted private key to DER:

openssl rsa -in priv.pem -outform der -out priv.der

Convert a p7c/pkcs7 file to PEM (Let’s Encrypt CA Issuer field) (see also pkcs7(1SSL) - online):

openssl pkcs7 -inform der -in letsencrypt.p7c -print_certs \
   -outform pem -out letsencrypt.pem