Table of Contents:
- Customizing SSL Certificates
- Overview
- Sample Code
Customizing SSL Certificates
Description: In an Enterprise environment, where we are decrypting traffic for inspection or using interanally signed certificates, I’m constaintly running into SSL Errors. They are generally legitimate and always have a reason, but to minimize this I either directly use a custom CA or I use something like the below where I can leverage publicly known Trusted CA’s with a Custom Trusted CA.
Overview
Sample output taking a custom CA in PEM format leveraging Python certifi
module that provides Mozilla’s Root Certificates for validation. This will append a corporate Trust CA which can add or minimize issues when connecting to devices that decrypt traffic in an Enterprise or SSL Certificats that are signed by an Enteprised managed system.
We also leverage the tempfile library
to use the system’s temp directory to write out the tempory CA that we can continue to reuse.
Sample Code
code snippit used when a certstore os path value is passed
import certifi, tempfile
from pathlib import Path
# converting certstore to string in order to support file location or Bool value
if certstore == 'False':
certstore = False
elif certstore == 'True' or certstore == None:
certstore = True
else:
if Path.exists(Path(certifi.where())) and Path.exists(Path(certstore)):
customca = Path(tempfile.gettempdir() + '/customca.pem')
with open(certifi.where(), 'r', encoding='utf-8') as ca:
ca_data = ca.read()
with open(certstore, 'r', encoding='utf-8') as ca:
custom_ca_data = ca.read()
ca_data += "\n# Issuer: CN=Company Root CA O=Company nv-sa OU=Root CA\n"
ca_data += custom_ca_data
with open(customca, 'w', encoding='utf-8') as f:
f.write(ca_data)
certstore = customca
print(f"Using certstore={certstore}")
else:
print("invalid certstore ")