crypto — Generic cryptographic module


pyca/cryptography is likely a better choice than using this module. It contains a complete set of cryptographic primitives as well as a significantly better and more powerful X509 API. If necessary you can convert to and from cryptography objects using the to_cryptography and from_cryptography methods on X509, X509Req, CRL, and PKey.

Elliptic curves

Serialization and deserialization

The following serialization functions take one of these constants to determine the format.


FILETYPE_PEM serializes data to a Base64-encoded encoded representation of the underlying ASN.1 data structure. This representation includes delimiters that define what data structure is contained within the Base64-encoded block: for example, for a certificate, the delimiters are -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.


FILETYPE_ASN1 serializes data to the underlying ASN.1 data structure. The format used by FILETYPE_ASN1 is also sometimes referred to as DER.


Certificate signing requests

Private keys

Public keys

Certificate revocation lists

Signing and verifying signatures

X509 objects

X509Name objects

X509Req objects

X509Store objects

X509StoreContextError objects

X509StoreContext objects

X509StoreFlags constants

PKey objects


Key type constants.

PKCS7 objects

PKCS7 objects have the following methods:

PKCS12 objects

X509Extension objects

NetscapeSPKI objects

CRL objects

Revoked objects


exception OpenSSL.crypto.Error

Generic exception used in the crypto module.

Digest names

Several of the functions and methods in this module take a digest name. These must be strings describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, b"sha256" or b"sha384".

More information and a list of these digest names can be found in the EVP_DigestInit(3) man page of your OpenSSL installation. This page can be found online for the latest version of OpenSSL: