PKI with OpenSSL: Howto using Jupyter Notebook

Published by Tobias Hofmann on

2 min read

From time to time I have to create a PKI with a root and intermediate CA. As I do not want to have to search for the correct commands, I created a setup for OpenSSL and a Jupyter notebook that guides me through the steps. This allows me to go through the setup process for a PKI in a few seconds. To validate the PKI, I included a section to issue a new server certificate as well as to validate it.

In this blog I’ll explain how you can get the Jupyter notebook working as well as how to notebook works.

Create Jupyter Lab instance

My Jupyter Notebook is available in my GitLab repository. I used the Jupyter minimal-notebook and the labs version. To start a Docker container with this setup:

docker run -p 8888:8888 -e JUPYTER_ENABLE_LAB=yes jupyter/minimal-notebook

Load Jupyter Notebook

Download the notebook from GitLab. Open Jupyter and upload my notebook.

The notebook is named PKI.

Run notebook and create PKI

Open it. It contains the git command to clone my other repository with the OpenSSL configuration. The description guides you through the steps to run the necessary OpenSSL commands to setup a Root CA and Intermediate CA as well as issue a new server request.

The sections include:

  • Root CA
  • Intermediate CA
  • Create server certificate
  • Validation
  • Cleanup

When running the commands, a new folder pki is created. Inside this folder, all PKI files for Root CA and Intermediate CA are stored. Both CAs have their own OpenSSL configuration file .cnf. As some parameters in this file depend on the path, an environment variable is used to make it work in Jupyter:

%env ROOTCA=pki/rootca
%env INTCA=pki/intermediate

Note: This is needed as the underlying repository for the OpenSSL PKI is also meant to work outside Jupyter. A user can clone the repo and create a PKI running the commands in the shell.

The PKI certificates can be downloaded and used in your Dev / Test environment. Using the example provided in the create server certificate section, you can upload you own CSR and sign it. Issuing the PKI to a different subject (CN) is not a problem, as you can change the parameter. Have fun creating your own PKI or maybe understand better how a PKI works.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


X509 based logon – 2 - Add CA certificates to PSE | It's full of stars! · July 8, 2020 at 10:45

[…] trust needed for X.509 based user logon, import the certificates of the issuing PKI. In my case, I do have a root CA and intermediate CA. I’ll have to import both certificates to ensure that NW can validate the complete certificate […]

X509 based logon - 3 - Create a user certificate | It's full of stars! · July 10, 2020 at 09:00

[…] is issued by the intermediate CA. Create a CSR for a user and let the intermediate CA sign it. Following my own blogs, I get a certificate named: tobias.crt.pem. Following commands assume that you are using my CA […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.