[Twisted-Python] loading intermediate CA certs from a chain file

Tue Jul 20 20:26:37 MDT 2010

I was able to solve this problem by writing following class. Thank you JP for pointing me to use_certificate_chain_file function.

class ChainedOpenSSLContextFactory(DefaultOpenSSLContextFactory):
    def __init__(self, privateKeyFileName, certificateChainFileName,
                 sslmethod=SSL.SSLv23_METHOD):
        """
        @param privateKeyFileName: Name of a file containing a private key
        @param certificateChainFileName: Name of a file containing a certificate chain
        @param sslmethod: The SSL method to use
        """
        self.privateKeyFileName = privateKeyFileName
        self.certificateChainFileName = certificateChainFileName
        self.sslmethod = sslmethod
        self.cacheContext()

    def cacheContext(self):
        ctx = SSL.Context(self.sslmethod)
        ctx.use_certificate_chain_file(self.certificateChainFileName)
        ctx.use_privatekey_file(self.privateKeyFileName)
        self._context = ctx

And I used it in place of DefaultOpenSSLContextFactory like this:

ssl_service = internet.SSLServer(443, site_ssl, 
            ChainedOpenSSLContextFactory(
                privateKeyFileName="cert/server.key",
                certificateChainFileName="cert/chain.pem", 
                sslmethod = SSL.SSLv3_METHOD))

Where chain.pem was cat'ing version of my certificate + CA certificate + ROOT certificate. Thank you Konards for suggesting me this cat'ing thing.

If anyone still have problem in this area, they will have to track correct chain of certificates. I myself got stuck in choosing correct CA certificate, since Thawte have many different CA certificate for different purpose. Eventually, I was fine with choosing the right one.

Cheers.

-Sury

---------------------
what i recommend is to add all chain in one file using openssl kit (maybe just cat'ing works). However, most certs issued nowadays contain the chain already in. You can check with openssl x509 -in cert.pem -text and see the attached signers cerificate in base64, copy that to a new.pem and repeat. You can walk this way up the chain to root cert. If you can, the chaining is not your problem.
Try playing with openssl toolkit alone and see what it says about cert and key.

2010/7/20, exarkun at twistedmatrix.com <exarkun at twistedmatrix.com>:
> On 07:13 am, ssoni at nextdigital.com wrote:
>>Hi There,
>>
>>Does Twisted support or is there any way of loading intermediate CA 
>>certs from a chain file?
>
> Twisted uses pyOpenSSL for it's SSL support.  So you can do pretty 
> much anything pyOpenSSL allows.  http://packages.python.org/pyOpenSSL
> /openssl-context.html documents the Context interface; in particular 
> the use_certificate_chain_file might be interesting.  However, I 
> recently had a conversation with someone who was using this method and 
> still couldn't get their chain certificate to work reliably.  I think 
> he's still trying to track down the issue.
>
> Jean-Paul

--
Konrads Smelkovs
Applied IT sorcery.