diff options
Diffstat (limited to 'potpourri/generate-root-certificate')
| -rwxr-xr-x | potpourri/generate-root-certificate | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/potpourri/generate-root-certificate b/potpourri/generate-root-certificate new file mode 100755 index 00000000..31647d5f --- /dev/null +++ b/potpourri/generate-root-certificate @@ -0,0 +1,62 @@ +#!/usr/bin/env python + +""" +Generate an RPKI root certificate for rootd. In most cases you should +not need to do this; see caveats in the manual about running rootd if +you think you need this. This script does nothing that can't also be +done with the OpenSSL command line tool, but on some platforms the +installed copy of openssl doesn't understand the RFC 3779 extensions. +""" + +import os +import sys +import time +import argparse +import rpki.x509 +import rpki.config +import rpki.sundial +import rpki.resource_set + +os.environ["TZ"] = "UTC" +time.tzset() + +parser = argparse.ArgumentParser(description = __doc__) +parser.add_argument("-c", "--config", help = "configuration file") +parser.add_argument("-a", "--asns", default = "0-4294967295", help = "ASN resources") +parser.add_argument("-4", "--ipv4", default = "0.0.0.0/0", help = "IPv4 resources") +parser.add_argument("-6", "--ipv6", default = "::/0", help = "IPv6 resources") +parser.add_argument("--certificate", default = "root.cer", help = "certificate file") +parser.add_argument("--key", default = "root.key", help = "key file") +parser.add_argument("--tal", default = "root.tal", help = "TAL file") +args = parser.parse_args() + +cfg = rpki.config.parser(args.config, "rootd") + +resources = rpki.resource_set.resource_bag( + asn = rpki.resource_set.resource_set_as(args.asns), + v4 = rpki.resource_set.resource_set_ipv4(args.ipv4), + v6 = rpki.resource_set.resource_set_ipv6(args.ipv6)) + +keypair = rpki.x509.RSA.generate(quiet = True) + +sia = cfg.get("rpki-base-uri") +sia = (sia, sia + "root.mft", None) + +uri = cfg.get("rpki-root-cert-uri") + +cert = rpki.x509.X509.self_certify( + keypair = keypair, + subject_key = keypair.get_public(), + serial = 1, + sia = sia, + notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), + resources = resources) + +with open(args.certificate, "wb") as f: + f.write(cert.get_DER()) + +with open(args.key, "wb") as f: + f.write(keypair.get_DER()) + +with open(args.tal, "w") as f: + f.write(uri + "\n\n" + keypair.get_public().get_Base64()) |