-----BEGIN X509 CRL-----

MIIDAjCB6wIBATANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCQ0ExEDAOBgNV

BAgMB09udGFyaW8xEDAOBgNVBAcMB1Rvcm9udG8xGDAWBgNVBAoMD01hZ2ljU3Rh

Y2sgSW5jLjEWMBQGA1UECwwNYXN5bmNwZyB0ZXN0czEdMBsGA1UEAwwUYXN5bmNw

ZyB0ZXN0IHJvb3QgY2ExHTAbBgkqhkiG9w0BCQEWDmhlbGxvQG1hZ2ljLmlvFw0y

MTA5MTQxNjA2MDFaFw0yMTA5MTUxNjA2MDFaMBUwEwICEAAXDTIxMDkxNDE2MDYw

MVowDQYJKoZIhvcNAQELBQADggIBAL4yfNmvGS8SkIVbRzdAC9+XJPw/dBJOUJwr

EgERICAz7OTqG1PkmMhPL00Dm9fe52+KnSwHgL749W0S/X5rTNMSwLyGiiJ5HYbH

GFRKQ/cvXLi4jYpSI1Ac94kk0japf3SfwEw3+122oba8SiAVP0nY3bHpHvNfOaDV

fhbFTwb5bFm6ThqlKLZxGCKP0fGeQ4homuwgRiLE/UOiue5ted1ph0PkKVui208k

FnhNYXSllakTGT8ZZZZVid/4tSHqJEY9vbdMXNv1GX8mhjoU1Gv9dOuyFGgUc9Vx

e7gzf/Wf36vKI29o8QGkkTslRZpMG59z3sG4Y0vJEoqXMB6eQLOr5iUCyj2CyDha

66pwrdc1fRt3EvNXUWkdHfY3EHb7DxueedDEgtmfSNbEaZTXa5RaZRavNGNTaPDf

UcrDU4w1N0wkYLQxPqd+VPcf1iKyfkAydpeOq9CChqRD0Tx58eTn6N/lLGFPPRfs

x47BA4FmefBeXZzd5HiXCUouk3qHIHs2yCzFs+TEBkx5eV42cP++HxjirPydLf6Y

G/o/TKRnc/2Lw+dCzvUV/p3geuw4+vq1BIFanwB9jp4tGaBrffIAyle8vPQLw6bp

1o1O39pdxniz+c9r0Kw/ETxTqRLbasSib5FHq5G/G9a+QxPsLAzKgwLWhR4fXvbu

YPbhYhRP

-----END X509 CRL-----

-----BEGIN RSA PRIVATE KEY-----

MIIJKQIBAAKCAgEAyprtuNvPDrNt1bUX/JKee7I+/rPj0g//PiomYieLMuSq1FFY

o1UIHwqcT86VlrUP+yW40DLfpGaicCqnc1wGPKLJ5Y6WGL2zVp3NBmWNPRes/eRq

lYF//NRXvFtyc+iPcEtgl1Z3ihrbsfun87Sm6wNm9ZJ+vW98QpRB0SxWZfYShvHJ

Nh/oCOQBA4EJoUyF2qZfOWz7oeeLiolBp3nT5NO24gsN2RORkxlsxKuajKhRH29f

fy9bzr4Mf0OGqpoycJTjQfQ8zH7XrXSmkeUkvrx9EFIYll8Mu49U42LST+DOny4p

8ILjGBvEG4OzZC+EAvU+80eQmTydEPzaYsL+6nTM8i+0JJWfct2HgOcHHsnNv84d

CDTeW3+CdZg2Y4WB/QiIFR0o+s+OK1qvS/js2E9BDA4WTtDnmpE1oKlzSAn3hF2e

Yct0FQlLyq4Jp6rNH4pnR+nWUCBkCEPFXIP6bJNoRD9YUVkTp/3IAnWnXBKmzHW7

TlLjHJ69Cugf21W18YwFeHlXAnEt8N8CBuCotmiF516x8hCZmSW9NyqO1Vz9DUxr

hnz2EI9qMeGuMFYjhqccW5xhgBalfgSFZYVDHy/T5WrarCOpFMySLCVIspOqD29y

njUOfjLUtEtQ1dIwOcMQ0GchBYlLJehi2EpuEWo8aB3S0e16o9w+xFihrf8CAwEA

AQKCAgEApJFdgOdCc415LLpxJl4tzwnEs3yJE8qcp/Dyxo2aOpeUzurYVasu8o/a

0dRam1StC3HjgXGhSNd5ICT1aPWZt0z/M7Ay6RvFfRimPYjlRXdis8QCczgCLuqH

7V5WRCHlyO/hIGxCovIX+6UPEhxt7L0Rt2zr95GD3EyyfWZHM4DCIcxphMY74mTZ

EfCRUuxmWWkENg/5ANSj+r5sjs2dOORjS45xDB8iAtsHB2TgH1pksmTzq8pbBz5F

xmWiEBc520qEocDyVaS+KY1z81OuGiPebhBRGmtQW1UcPaq6a9mN26xSsqKONbnv

++1pHHqf/wsXu+IoaN/cML1B4jDDf1milC7mmgPdETQjbco7PvSsxzG3pZktijoT

8WfCMda4SFgkLMDEKyD5tyUGQFsvijXFf9y+/V0ux3u1Hm6NApDXTf7gX5W0b9tD

uiupzcwCtA5s9AO6G0bQnddwzFGh91/ydyc5DfaRjfrG95zYouwqmMQXTqYG1USX

mLrDgHw3ierlwVWKUR0OnysMeNYtu5782RO3LSdL126PKLd/pLvG7FrETLFECP3B

QgM/vKlNY26mcX4DuALRRLWu+ORrGMclEp7Bw/JPTkFxj2gLrmL6JM1h+CFXDBmk

pE0Cl2PDCVq4aFWZDn4F8ioT4XW/2REtxp7E2wazNnCX+IUap1ECggEBAOeXY9Ib

m0GayJVm7kvvL6pY2e/lHlvi44xcTG3GrkOn/qMLIDkXvUyfjcqHZQhMoYhnYx4K

iyK4D/Mej4Jbj5dyRKHEn8tKGuDrlzFp0CLRQvg1s/LcktX8hdef9IPXHA3y6ML5

X60KNN1PI/7aINEENn1qOqDvU6X9ST3VGAWbfyM5jOZDHIBkjJuJTUwndaDbIA09

AqxqQjq6UntCG+seXBmE1OHht++pWgN5rlq1wJ2KJlGR2HdhtIl1JyfU/hisnfFD

ahQMUFoFYS3ecNUNumbQEBaZ66/mHP0p2YhaLK3j3shC8vsN15LOW6Ulzlmw7I3s

tGqcShUaldjQYvkCggEBAN/1dQst70hWLtjRnP/0FidKtq3l2u0Lg6+K7CUsIOEa

QH1s0CobT5j7eWtodPkZkYCzulhiPXk32mW0uKiAglJ+LPaU7HgNrFlJKefCrStP

o8LcdeZujRhBkBvU+xytoxpKIhdie4td106sRCb63F66MtU+dSJqEl6/5Piz0zLT

YgrFitRaRA5/jW47BUV4ZBRnHqrBN4PhoaYPp7oYIue6E1G+REdsL9+I1B1PhUV2

vmVHvoQkwqa1Ne9AZg1ZmTbnSojKV1c1T/uwwW/UEDo6v3+qMH/wTpXMk7DIE7ih

NW/FADYRHEd1M11zxLOMmq43C9/KD261N97H17NP3rcCggEBAJKdgzJ3C7li1m3P

NjmYeWKs0XxQXwHpCAnKPRCaYaSvbEOoPYQnhU5HDKsVQF8atID4gwV3w1H9mQtf

Y5cxhBxq2QxYwJkglxehzpwX0w7X0D/3L68m+UbDkbBKsa/ttPMXv0gAPBP+jC03

dyBW08O/mQeZAvjzys8hJQciKw0RvlF8k7kK77ZQ8bteFzOJH6zwTMBUyaaBtuAb

KTCjT61wEPqO338JOTteyX+9vyXqPsD9vviRDqu1jWggZOOQsjTIw00EUtnSWeRD

15wEYQZgpIuGWUkVtOItGlkj73WlMPf9dQLvb4iE4N8uCVLqNlMN8RSAsE92Fmh5

5jfW5XECggEAQEd5En5aoU5rH7v57dSmzxw4lmzUixi08RtUb87cmP8p51Xl4U/5

ZpU24kcW27Ak/OWY5Gk9757CRlK6dVJ9FSQ1z4gq3sI951qCdox/m2C+Rd100XCF

eqLGs9ZLRI3ptE/2vPN9NiD2/ROgc/eobF/Q2zeT8w6yuxMkquUiBwJ4r1LHZ++I

fQjLFQpHlwrY3qpCOQw/3NBTzw/LOjRXQF890EZl3oIEs4nYJ5l9TNSqDPOskMzk

OWjlVAgNwmMnAIUd9Wjt7I/WpwyyWGBrT+swr3mvdekJBSG0ehbS4jkS10OZrer3

TOMsnPPvTwFaHAqck9yw1TuaD40YMdUIvQKCAQAHpX7JP3Qbt7Q+hzq66BVWwlp6

qdKKjlGGB7ciiFwuZWRI019ilbmmOjCfvFuVh4pyZgQH/TG/9HnZPBmuXd0Jy6VJ

SIQWZQ58G3SmIFqXZYA5Gxk2u4B/bPmptfPX/zxkaSV83dQu3L0PdPVnCTzv1qDn

MdCMbq7K53zF/j05tWRdF4iey64pmoBZx7G3Ky9cwdMsKTm/7AHi0UBTHwGCrDFL

BDS6XW1ylSa0QJrd2+yryae+N0iYXA+5WmY6yuLkUrGXcf96e3ufrs73di5R10IV

D38YeZHQEIK5gmfWC9Ma5HZb6TB/CtweirY4IddUiPEpHJFmOV+TkGBmntF6

-----END RSA PRIVATE KEY-----

import datetime

import os

from cryptography import x509

from cryptography.hazmat import backends

from cryptography.hazmat.primitives import hashes

from cryptography.hazmat.primitives import serialization

from cryptography.hazmat.primitives.asymmetric import rsa

from cryptography.x509 import oid

def _new_cert(issuer=None, is_issuer=False, serial_number=None, **subject):

backend = backends.default_backend()

private_key = rsa.generate_private_key(

public_exponent=65537, key_size=4096, backend=backend

)

public_key = private_key.public_key()

subject = x509.Name(

[

x509.NameAttribute(getattr(oid.NameOID, key.upper()), value)

for key, value in subject.items()

]

)

builder = (

x509.CertificateBuilder()

.subject_name(subject)

.public_key(public_key)

.serial_number(serial_number or int.from_bytes(os.urandom(8), "big"))

)

if issuer:

issuer_cert, signing_key = issuer

builder = (

builder.issuer_name(issuer_cert.subject)

.not_valid_before(issuer_cert.not_valid_before)

.not_valid_after(issuer_cert.not_valid_after)

)

aki_ext = x509.AuthorityKeyIdentifier(

key_identifier=issuer_cert.extensions.get_extension_for_class(

x509.SubjectKeyIdentifier

).value.digest,

authority_cert_issuer=[x509.DirectoryName(issuer_cert.subject)],

authority_cert_serial_number=issuer_cert.serial_number,

)

else:

signing_key = private_key

builder = (

builder.issuer_name(subject)

.not_valid_before(

datetime.datetime.today() - datetime.timedelta(days=1)

)

.not_valid_after(

datetime.datetime.today() + datetime.timedelta(weeks=1000)

)

)

aki_ext = x509.AuthorityKeyIdentifier.from_issuer_public_key(

public_key

)

if is_issuer:

builder = (

builder.add_extension(

x509.BasicConstraints(ca=True, path_length=None),

critical=False,

)

.add_extension(

x509.SubjectKeyIdentifier.from_public_key(public_key),

critical=False,

)

.add_extension(

aki_ext,

critical=False,

)

)

else:

builder = (

builder.add_extension(

x509.KeyUsage(

digital_signature=True,

content_commitment=False,

key_encipherment=True,

data_encipherment=False,

key_agreement=False,

key_cert_sign=False,

crl_sign=False,

encipher_only=False,

decipher_only=False,

),

critical=False,

)

.add_extension(

x509.BasicConstraints(ca=False, path_length=None),

critical=False,

)

.add_extension(

x509.ExtendedKeyUsage([oid.ExtendedKeyUsageOID.SERVER_AUTH]),

critical=False,

)

.add_extension(

x509.SubjectAlternativeName([x509.DNSName("localhost")]),

critical=False,

)

.add_extension(

x509.SubjectKeyIdentifier.from_public_key(public_key),

critical=False,

)

.add_extension(

aki_ext,

critical=False,

)

)

certificate = builder.sign(

private_key=signing_key,

algorithm=hashes.SHA256(),

backend=backend,

)

return certificate, private_key

def _write_cert(path, cert_key_pair, password=None):

certificate, private_key = cert_key_pair

if password:

encryption = serialization.BestAvailableEncryption(password)

else:

encryption = serialization.NoEncryption()

with open(path + ".key.pem", "wb") as f:

f.write(

private_key.private_bytes(

encoding=serialization.Encoding.PEM,

format=serialization.PrivateFormat.TraditionalOpenSSL,

encryption_algorithm=encryption,

)

)

with open(path + ".cert.pem", "wb") as f:

f.write(

certificate.public_bytes(

encoding=serialization.Encoding.PEM,

)

)

def new_ca(path, **subject):

cert_key_pair = _new_cert(is_issuer=True, **subject)

_write_cert(path, cert_key_pair)

return cert_key_pair

def new_cert(

path, ca_cert_key_pair, password=None, is_issuer=False, **subject

):

cert_key_pair = _new_cert(

issuer=ca_cert_key_pair, is_issuer=is_issuer, **subject

)

_write_cert(path, cert_key_pair, password)

return cert_key_pair

def new_crl(path, issuer, cert):

issuer_cert, signing_key = issuer

revoked_cert = (

x509.RevokedCertificateBuilder()

.serial_number(cert[0].serial_number)

.revocation_date(datetime.datetime.today())

.build()

)

builder = (

x509.CertificateRevocationListBuilder()

.issuer_name(issuer_cert.subject)

.last_update(datetime.datetime.today())

.next_update(datetime.datetime.today() + datetime.timedelta(days=1))

.add_revoked_certificate(revoked_cert)

)

crl = builder.sign(private_key=signing_key, algorithm=hashes.SHA256())

with open(path + ".crl.pem", "wb") as f:

f.write(crl.public_bytes(encoding=serialization.Encoding.PEM))

def main():

ca = new_ca(

"ca",

country_name="CA",

state_or_province_name="Ontario",

locality_name="Toronto",

organization_name="MagicStack Inc.",

organizational_unit_name="asyncpg tests",

common_name="asyncpg test root ca",

email_address="hello@magic.io",

)

server = new_cert(

"server",

ca,

country_name="CA",

state_or_province_name="Ontario",

organization_name="MagicStack Inc.",

organizational_unit_name="asyncpg tests",

common_name="localhost",

email_address="hello@magic.io",

serial_number=4096,

)

new_crl('server', ca, server)

if __name__ == "__main__":

main()