The creation of User, Certificate and Signing of CSR for Lemur Certificate Manager

After the successful installation of Lemur certificate manager, CFSSL  Root Certification Authority (CA) was integrated with it. After the integration step, local CA was created using CFSSL plugin in the lemur. So, CFSSL is the root CA in our case. As we know that Lemur certificate manager is Python-based so in this article, our focus is to create different python scripts which will be useful for further development in the project. In this article, we will perform following scripts to interact with Lemur using the terminal. 

  • Creation of Authority using CFSSL in the Lemur GUI. This CFSSL Authority will be used in our scripts to generate the certificate. I have set title “myCA” of CFSSL authority in the GUI. This title “myCA”  will be used in the generation of certificates from the Lemur.

the creation of user certificate and signing of csr for lemur certificate manager

Using CFSSL plugin 

the creation of user certificate and signing of csr for lemur certificate manager 1

“myCA” shown in the list after creation. 

  • Using Python script to create a user with “Admin” role using Lemur API and request is sent in JSON format. (verify the result from the users page of Lemur GUI).
  • Creation of Certificate for the specified owner and user (Verify the result from the certificate page of lemur GUI).
  • private/public keys generation using Openssl in the terminal (commands are given below to generate the key pair and then CSR) and
  • then Use the CSR (cat the csr file) in the script to generate the certificate from the defined custom authority.


All python scripts will send a request in JSON format to the  Lemur platform, so please change parameters in the scripts as per your requirements. (like your name of CFSSL authority, user-name etc )


In the following script, json request will be sent to (IP address of the Lemur and CFSSL root CA). After the successful authentication, another request will be sent for the creation of the new user.


import json import requests
login = requests.request("POST","",data=json.dumps({'username': "lemur", 'password': "lemur"}),headers={'content-type': 'application/json'}) print login.json() Auth = {'Authorization': 'token %s' %login.json()["token"], 'content-type': 'application/json'}
test = requests.request("POST","",data=json.dumps({'username': "aa", 'aaa': "aaa" ,"email":"[email protected]","active": "true", "roles": [{'id':1}or{'name': 'myRole'}]}),headers=Auth)
print test.json()

In the following script, a request is sent to “myCA” authority to generate a new certificate for the user “aa”. 


import json
import requests
##username/password to login lemur to perform the desired action
login = requests.request("POST","",data=json.dumps({'username': "lemur", 'password': "lemur"}),headers={'content-type': 'application/json'})
print login.json() Auth = {'Authorization': 'token %s' %login.json()["token"], 'content-type': 'application/json'} cert_req = requests.request("POST","",data=json.dumps({"owner": "[email protected]","commonName": "","country": "AU","replacements": [{"id": 1 }],"notify": "true","validityEnd": "2026-01-01T08:00:00.000Z", "authority": {"name": "myCA" }, "organization": "test.", "location": "Los Gataaos", "state": "Caldifornia", "user": { "username": "aa","active": "true","email": "[email protected]"}, "roles": [{"id": 1, "description": "admin role", "name": "[email protected]"}],"validityStart": "2018-11-11T04:19:48.000Z","organizationalUnit": "Operations"}),headers=Auth)
print cert_req.json() --------------------------------------------------------------------------------------------------

The purpose of the following script is to sign the CSR from the CFSSL certification authority. Necessary commands of OpenSSL are given above to generate the csr for the script. 

The following command will be used to sign the custom CSR. This functionality is not provided in the Lemur GUI to sign the CSR using our locally setup CA. 

key pair generation command:

openssl genrsa -out test.key 2048

CSR creation using the above-generated test.key:

openssl req -new -sha256 -key test.key -out test.csr

Now use “cat” command to view the content of test.csr and copy it in the script to generate the certificate on the user-generated CSR. Important hint about the usage of CSR in the script is that to remove /r and use /n except between start/stop tags of CSR.


import json
import requests
##change username/password here
login = requests.request("POST","",data=json.dumps({'username': "lemur", 'password': "lemur"}),headers={'content-type': 'application/json'})
print login.json()
Auth = {'Authorization': 'token %s' %login.json()["token"], 'content-type': 'application/json'}
#it is working
csr_req = requests.request("POST","",data=json.dumps({"owner": "[email protected]","commonName": "","authority": {"name": "myCA" },"csr":"-----BEGIN CERTIFICATE REQUEST-----
\nMIICxzCCAa8CAQAwgYExCzAJBgNVBAYTAkFVMQ0wCwYDVQQIDARQQUtJMRIwEAYD\nVQQHDAlJU0xBTUFCQUQxDTALBgNVBAoMBElJSUkxDDAKBgNVBAsMA0dHRzEQMA4G\nA1UEAwwHdXNlcjEyMzEgMB4GCSqGSIb3DQEJARYRdXNlcjEyM0BnbWFpbC5jb20w\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzzV4H1epwXODPs9AkioTv\nQLRtea12vCbZJhKkH59hWhDMjqNRkh8qc4R9gk83lingdWK+L35OkGNi6DG9zseh\ncVRf68sNpTeFg+eXGRmEdTallBqPd5NS3JlMmXxbLEWrELiw4gPp3JpNAzoYZUxb\n4Uk4ho9EN8Fd1/lGmubvyvkYJ1mbpsK1LfaFohGYu+7nMvU4tn1Av/zyTGcIikVu\nU4UA23jKAMzjlSKdTJH/nmqvMi2wltRtb7DNpI/5HAancrnyEzeXC5IN+sPV/5oh\nxdxCyAkp1kDrWhC2yvoffzipoqEFESWmfFrJ8riTiQZqOIWqW+ZasZtu4GDqm4CL\nAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAH/PKs5kTmMPRW2Icy4Yj7vdzjpaA\n/r1glm0voMR5ytPo0+lXHDTQwt/1ObQvr8FnT2z8iqRvfXiv6WWruLzwEEVWsCFL\ny7RAa+K0wqP23CfxzCy/S4ZwCcR+wQb3UnWui8eMxgU1IBjupCR9kPFhL//aA+lm\njBi5YruBgX7MdlW+AlkuVDljzXm1orFYZFzS7OlybH5jh/B3Z2ygbC++Y24XI3qm\n5IYpsxFbOmrj7y3IXN/990305blCcKhpaG+FMTKhNqkXMYKYsZseIO3xdO4Ufjl/\nqS2jjsE1sFxmKbabhguhTT06oGimT+TbgoYVkc0DWhIdLcrOdxhGsFwdqg==\n-----END CERTIFICATE REQUEST-----"}),headers=Auth)
print csr_req.json()


In this article, different python scripts are written to interact with Lemur certificate manager project. These scripts will be helpful for the developers to use it from the CLI.  

نوشته های مشابه