Metadata-Version: 2.1
Name: autocsr
Version: 1.0.11
Summary: AutoCSR is a command-line tool and library for automatically generating Certificate Signing Requests from easy to define configuration files.
Home-page: https://github.com/maxwolfe/autocsr
License: MIT
Keywords: Certificate Signing Request,CSR
Author: Max Wolfe
Author-email: max@securitywolfe.com
Requires-Python: >=3.7,<4.0
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Requires-Dist: Jinja2 (>=2.11.3,<3.0.0)
Requires-Dist: PyYAML (>=5.4.1,<6.0.0)
Requires-Dist: cryptography (>=3.4.7,<4.0.0)
Requires-Dist: protobuf (>=3.15.8,<4.0.0)
Requires-Dist: pyOpenSSL (>=20.0.1,<21.0.0)
Requires-Dist: pyasn1-modules (>=0.2.8,<0.3.0)
Requires-Dist: pycryptodome (>=3.10.1,<4.0.0)
Requires-Dist: python-pkcs11 (>=0.7.0,<0.8.0)
Requires-Dist: typer (>=0.3.2,<0.4.0)
Project-URL: Documentation, https://autocsr.readthedocs.io/en/latest/
Project-URL: Repository, https://github.com/maxwolfe/autocsr
Project-URL: issues, https://github.com/maxwolfe/autocsr/issues
Description-Content-Type: text/markdown

[![Build Status](https://travis-ci.com/maxwolfe/autocsr.svg?token=qz3Kxzoztoakrxm4CFDZ&branch=master)](https://travis-ci.com/maxwolfe/autocsr)

# AutoCSR: Automatic Certificate Signing Request Generation

`AutoCSR` is a command-line tool and library for automatically generating Certificate Signing Requests from basic user input and easy to define templates.

`AutoCSR` was developed to empower non-security professionals to quickly and easily generate their own simple Certificate Signing Requests with minimal security knowledge required.

`AutoCSR` also provides security professionals with the ability to define complex Certificate Signing Requests with templates that can be easily shared with non-security professionals to generate complex Certificate Signing Requests without the need for detailed instructions or handholding.

## Install
```
pip install autocsr
```

## Usage
```
Usage: autocsr [OPTIONS] COMMAND [ARGS]...

Commands:
  build   Create certificate signing requests from a config file.
  create  Create a new Certificate Signing Request with little customization.
  prompt  Prompt the user for Certificate Signing Request fields.
```

## Quickstart

### Create a simple CSR with a Common Name
The easiest way to generate a Certificate Signing Request is by specifying the common name and letting `autocsr create` handle the rest! This is perfect for simple Certificate Signing Requests that don't require any custom attributes, extensions, or specific key formats.

```
max@wolfetop:/app# autocsr create "My Common Name"
Where to store the new key? [./My Common Name.pem]:
Where to store the new csr? [./My Common Name.csr]:
Created new CSR at ./My Common Name.csr
```

You can also specify the `key-path` and `output-path` to avoid the mandatory prompts.

```
max@wolfetop:/app# autocsr create "My Common Name" --key-path my_common_name.pem --output-path my_common_name.csr
Created new CSR at my_common_name.csr
```

### Create a simple CSR with a Prompt
If you need to generate a Certificate Signing Request without custom attributes or extensions, but still want to customize the subject and signing information, `autocsr prompt` can guide you through the process while offering you safe defaults and a list of options where applicable.

```
max@wolfetop:/app# autocsr prompt "My Prompted CSR"
Where to store the new key? [./My Prompted CSR.pem]:
Where to store the new csr? [./My Prompted CSR.csr]:
What is your country identifier? (2 characters) []:
What is your state or province name? []:
What is your locality name? []:
What is your organization name? []:
What is your organizational unit name? []:
What is your email address? []:
What is the desired hash algorithm to use? (SHA256, SHA224, SHA384, SHA512, SHA512_224, SHA512_256, BLAKE2b, BLAKE2s, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256) [SHA256]:
What is the desired type of key? (RSA, DSA, EC) [RSA]:
What is the desired key size? (1024, 2048, 4096) [2048]:
Created new CSR at ./My Prompted CSR.csr
```

### Create a CSR with a Template
For more customized Certificate Signing Requests and those that need to be repeatedly generated in a consistent way, it will often be desirable to add the details of your Certificate Signing Request inside a template. `autocsr build` can be used to construct one or many Certificate Signing Requests from the details present in a template.

#### Create a Template
```
# quick_csr.yaml
My First CSR:
  subject:
    common_name: My first AutoCSR
  key_info:
    key_path: /tmp/my_first_key.key
    create: True
  output_path: /tmp/my_first_autocsr.csr
```

#### Run AutoCSR
```
max@wolfetop:/app# autocsr build quick_csr.yaml
Created new CSR at /tmp/my_first_autocsr.csr
```

#### Validate New CSR
```
max@wolfetop:/app# openssl req -text -noout -verify -in /tmp/my_first_autocsr.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = My first AutoCSR
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:93:f6:52:6e:51:64:0a:a6:95:d5:89:71:11:bf:
                    50:c6:cc:54:e7:9a:06:ec:16:0a:3f:dc:8f:ee:57:
                    50:6f:bd:6b:92:89:50:d5:97:5c:74:ca:86:08:41:
                    52:af:13:5a:a9:8c:3d:79:64:14:77:fe:ef:52:d6:
                    57:6c:59:01:f4:02:03:a7:b0:c6:24:9c:1d:26:72:
                    15:f8:8b:58:25:85:83:b4:b4:26:7b:4f:db:59:93:
                    09:07:02:d3:8f:92:1d:d1:c6:94:9c:6a:06:77:de:
                    f5:5e:b8:4a:30:86:c5:6e:81:35:f4:cb:88:e7:79:
                    a3:91:22:c9:03:92:9c:8a:3a:3c:49:58:fe:18:e2:
                    e2:18:c3:6d:e0:a2:7d:21:62:80:dd:54:fb:4b:85:
                    ed:08:5f:10:0b:af:2e:66:bc:57:53:a3:d9:06:23:
                    ce:97:63:54:4c:8e:13:0f:01:1a:3e:9d:80:53:91:
                    71:f8:3f:93:03:41:d7:64:2b:5e:b6:d1:b8:17:bd:
                    10:6f:56:b5:d2:ec:3d:1a:91:0e:7a:2e:f2:ff:d4:
                    03:33:8b:91:48:6b:e3:e6:ea:f2:49:48:49:81:5a:
                    c7:b9:5a:ef:85:ce:71:61:28:7e:28:8c:07:23:48:
                    e3:c3:7e:74:46:bc:88:fa:84:9b:d3:16:98:9b:58:
                    29:9d
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
         07:6c:ac:32:92:04:f2:57:42:8f:93:92:09:92:77:01:c6:5e:
         e4:7f:17:f6:78:fd:8a:83:8a:d7:55:3f:f1:c4:ba:09:1c:9e:
         2a:04:db:e3:2f:b9:c1:d0:49:53:59:47:6f:d0:3e:ae:c3:4d:
         96:f2:f0:f8:b2:9f:67:62:fc:4b:32:35:c7:f3:cc:78:83:d0:
         82:0a:b6:f0:90:83:12:10:73:49:36:ac:f2:27:85:91:b1:9d:
         0d:22:d7:2f:34:84:0a:2f:c1:d3:ee:62:82:72:78:64:93:17:
         83:7c:68:65:89:e5:ad:cc:e3:f0:c8:03:1e:18:c0:11:89:af:
         9f:5d:7a:23:a0:c9:c7:97:44:fd:18:40:6e:aa:02:cf:bb:8a:
         17:6c:24:64:3b:a5:9b:0c:c8:52:e1:8f:8f:83:ec:8b:14:5c:
         a7:38:83:f8:67:6b:2d:3e:1a:02:39:2a:57:27:3a:c0:62:b7:
         bc:90:6c:b6:f5:2c:32:f5:87:dc:b0:0c:b2:93:d3:2d:8d:cb:
         0b:a1:e6:70:aa:b9:67:bf:9b:89:ae:25:12:08:08:83:ee:7e:
         58:33:e6:53:37:fb:28:7c:79:98:39:bf:b4:8b:b9:e3:b5:75:
         8d:bd:b6:ce:e1:11:69:81:ab:37:d9:f0:3c:6e:35:b1:23:d8:
         6a:10:be:2e
```

## Creating Templates
A template is an overall definition of the data you want to be include in your Certificate Signing Request. Most fields can be optionally excluded or have safe default values for those who don't want to worry too much about the details.

### Subject
The subject of the Certificate Signing Request contains various metadata about the certificate, the only required portion being the `common_name`.

```
# subject_example.yaml
A Subject CSR:
  subject:
    common_name: All about the subject
    country_name: US
    state_or_province_name: California
    locality_name: Bay Area
    organization_name: SecurityWolfe
    organizational_unit_name: The Cool Team
    email_address: max@securitywolfe.com
  key_info:
    key_path: /tmp/subject_example.key
    create: True
  output_path: /tmp/subject_example.csr
```

#### Explicit Subject Example

```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = All about the subject, C = US, ST = California, L = Bay Area, O = SecurityWolfe, OU = The Cool Team, emailAddress = max@securitywolfe.com
```

### Key and Signing Information
`AutoCSR` allows keys to be generated on the fly or loaded directly from files. You can also explicitly define the hash algorithm to use for signing.

```
# key_example.yaml
RSA With Explicit Key Parameters:
  subject:
    common_name: RSA CSR with explicit key parameters
  key_info:
    key_path: /tmp/my_rsa.key
    create: True
    key_type: RSA
    key_size: 2048
    public_exponent: 65537
  hash_type: SHA256
  output_path: /tmp/my_rsa_autocsr.csr

DSA From Key File:
  subject:
    common_name: DSA CSR from key file
  key_info:
    key_path: /tmp/my_dsa.key
  output_path: /tmp/my_dsa_autocsr.csr

EC With Explicit Key Parameters:
  subject:
    common_name: EC CSR with explicit key parameters
  key_info:
    key_path: /tmp/my_ec.key
    create: True
    key_type: EC
    curve: SECP256R1
  hash_type: SHA512
  output_path: /tmp/my_ec_autocsr.csr
```

Running `autocsr build` on this template will generate three Certificate Signing Requests:

#### RSA Example CSR
```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = RSA CSR with explicit key parameters
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus: ...
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
```

#### DSA Example CSR
```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = DSA CSR from key file
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
                pub: ...
                P: ...
                Q: ...
                G: ...
        Attributes:
        Requested Extensions:
    Signature Algorithm: dsa_with_SHA256
```

#### EC Example CSR
```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = EC CSR with explicit key parameters
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: ...
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
    Signature Algorithm: ecdsa-with-SHA512
```

### Attributes
Certificates can optionally contain a plethora of pre-defined and custom attributes which map an `oid` to a binary value. Because we primarily use YAML for our template, we require that attribute values are base64 encoded in the template when defining attributes. Optionally for predefined attributes, a string name can be used instead of the dotted-string `oid`.

```
# attribute_example.yaml
CSR with Attributes:
  subject:
    common_name: My CSR with custom and well-known attributes
  key_info:
    key_path: /tmp/my_attributes.key
    create: True
  output_path: /tmp/my_attributes_autocsr.csr
  attributes:
    - oid: issuerAltName
      b64_value: TXkgSXNzdWVyIEFsdCBOYW1l
    - oid: 1.2.345.678  # A custom OID
      b64_value: TXkgQ3VzdG9tIEF0dHJpYnV0ZQ==
```

#### Custom and Predefined Attributes Example

```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = My CSR with custom and well-known attributes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus: ...
                Exponent: 65537 (0x10001)
        Attributes:
            X509v3 Issuer Alternative Name:My Issuer Alt Name
            1.2.345.678              :My Custom Attribute
```

### Extensions
Certificate Signing Requests offer a plethora of predefined extensions. An exhaustive list of the available extensions are available [here](https://cryptography.io/en/latest/x509/reference/#x-509-extensions), but I will provide a few examples of modeling extensions in templates below. Keep in mind that like attributes, extensions that require bytes as input will need to have their data represented in base64.

```
# extension_example.yaml
My CSR with Extensions:
  subject:
    common_name: Some Common Extensions for CSRs
  key_info:
    key_path: /tmp/my_extension_example.key
    create: True
  output_path: /tmp/my_extension_autocsr.csr
  extensions:
    - critical: True
      extension_type: OCSPNoCheck
    - critical: True
      subject_key_identifier:
        b64_digest: TXkgRXhhbXBsZSBTdWJqZWN0IEtleSBJZGVudGlmaWVy
    - critical: False
      extended_key_usage:
        usages:
          - "serverAuth"
          - "1.2.3.4.5"
    - critical: True
      key_usage:
        digital_signature: True
        content_commitment: False
        key_encipherment: True
        data_encipherment: False
        key_agreement: True
        key_cert_sign: False
        crl_sign: True
        encipher_only: False
        decipher_only: True
```

#### Various Extensions Example
```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = Some Common Extensions for CSRs
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus: ...
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            OCSP No Check: critical

            X509v3 Subject Key Identifier: critical
                4D:79:20:45:78:61:6D:70:6C:65:20:53:75:62:6A:65:63:74:20:4B:65:79:20:49:64:65:6E:74:69:66:69:65:72
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.2.3.4.5
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement, CRL Sign, Decipher Only
```

### Jinja Templates
Alternatively to using `.yaml` files, you can use `.jinja2` files modeled after YAML, but including environment variables to be replaced. If you wanted to recreate the first example using environment variables, you can do so like this:

```
# quick_csr.jinja2
{{ NAME }}'s First CSR:
  subject:
    common_name: {{ NAME }}'s first AutoCSR
  key_info:
    key_path: /tmp/{{ NAME }}s_first_key.key
    create: True
  output_path: /tmp/{{ NAME }}s_first_autocsr.csr
```

#### Run AutoCSR on a Jinja Template
```
max@wolfetop:/app# NAME=Max autocsr quick_csr.jinja2
Created new CSR at /tmp/Maxs_first_autocsr.csr
```

#### Validate Jinja Templated CSR
```
max@wolfetop:/app# openssl req -text -noout -verify -in /tmp/Maxs_first_autocsr.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = Max's first AutoCSR
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
```

