Can I sign an X509 certificate entirely in Python?

Question

I'm working within the Google App Engine (GAE) python 2.7 runtime.

I need sign (and potentially also generate) an X509 certificate (.csr)

I found several guides, that rely on PyOpenSSL.

As I understand it, PyOpenSSL is is wrapper around OpenSSL and not available in App Engine.
Pycrypto is available, but does not have a clear pre-built signing method for X509.

How can I sign an X509 .csr using only python?

Answer 1

Can I sign an X509 certificate entirely in Python?

Almost certainly, but I don't think there are any existing pure Python implementations available. The closest I could find is oscrypto, but being able to sign an X509 certificate depends on having the ctypes module available.

The author has also written a module called certbuilder, which claims to be a "Python library for generating and signing X.509 certificates", but it depends on the oscrypto module.

However, the real question sounds more like...

Can I sign an X509 certificate on a Google App Engine Python Standard Environment?

In this case, the oscrypto module probably won't help, since, according to the docs, the environment doesn't allow usage of the ctypes module.

You do have access to the PyCrypto module, and although there is a Python example of reading an X509 certificate using it, and a C++ example of verifying an X509 certificate, the Python bindings don't seem to have complete support for encoding and decoding ASN.1. You might be able to combine PyCrypto with asn1crypto by the same author as oscrypto for full ASN.1 support.

If none of these solutions are of any use, then either a GAE Python Flexible Environment or a GAE Custom Runtime ought to let you install the PyOpenSSL package, but you'd have to contact their tech support team to find out.

Answer 2

I may have found a solution:

Cryptography.io is entirely python based and even offers a tutorial on how to self sign a cert.

Happy to hear other answers.