X.509 cert generation should use Cryptography, not certcreate

[mithrandi]

certcreate kinda sucks (and has a bug that affects this code on pypy), we should just use cryptography.x509.

[glyph]

why can't certcreate use Cryptography?

[mithrandi]

@glyph: certcreate does not currently provide an interface that's particularly suitable for use as a library (the way it's invoked is basically just calling the main function pretending to invoke it at the command line; the module is named epsilon.scripts.certcreate, after all). It would be possible to introduce such an interface, and try to improve the behaviour when used this way... but certcreate is just essentially just a thing that translates some command line arguments into a call to twisted.internet.ssl.KeyPair.generate().selfSignedCert() and I don't think that turning it into a "real library" is really the direction we want to go with it..

I would suggest that it should be deprecated, but I think Mantissa is probably the only thing trying to use it as a library, and it still has some value as a standalone command line tool (which is what it was intended as in the first place, as far as I can tell). However, if we want to look at improving this functionality in a library setting, I think twisted.internet.ssl is the place to do it (although I think that discussion should wait until cryptography and pyopenssl are more closely aligned in their APIs, so that compatibility with the objects from both libraries is more easily achieved).

[glyph]

@mithrandi: OK, I pretty much agree with all that. "Let's improve twisted.internet.ssl" is definitely where I was going with that comment, for sure :)

[mithrandi]

@glyph: Are you saying this ticket is blocked on getting improvements into twisted.internet.ssl? I'd like it if we didn't have to wait for that to get Mantissa to generate nicer certs (eg. ones that have subjectAltName) out of the box.

[mithrandi]

@glyph: Ah, no, I guess you're not saying that at all, I only read your comment on #44 now :)