Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

Overview

Venafi Apache 2.0 License Community Supported Compatible with TPP 17.3+ & VaaS
This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!

VCert Python

VCert Python is a Python library and SDK designed to simplify key generation and enrollment of machine identities (also known as SSL/TLS certificates and keys) that comply with enterprise security policy by using the Venafi Trust Protection Platform or Venafi as a Service.

This implementation is based on the original Go library, https://github.com/Venafi/vcert.

Compatibility

VCert supports Python 3, and Python 2.7 (when the future module is installed). VCert releases are tested using the latest version of Trust Protection Platform. The latest VCert release should be compatible with Trust Protection Platform 17.3 or higher based on the subset of API methods it consumes.

Installation

Get the library using pip:
pip install vcert

You also can install latest version from github:
pip install https://github.com/Venafi/vcert-python/archive/master.zip

If installation fails collecting dependancies, make sure your python setuptools is up to date. Run the following command to upgrade to the latest version of setuptools. pip install setuptools -U

Usage example

For code samples of programmatic use, please review the files in /examples.

  • For Trust Protection Platform, the zone format is the DN of a policy with or without the "\VED\Policy" prefix (e.g. "\VED\Policy\Certificates\VCert" or simply "Certificates\VCert")
  • For Venafi as a Service, the zone format is the name of an OutagePREDICT Application and the API Alias of an Issuing Template assigned to it delimited by a single backslash character (e.g. "My Application\My CIT")

Prerequisites for using with Trust Protection Platform

  1. A user account that has an authentication token with "certificate:manage,revoke" scope (i.e. access to the "Venafi VCert SDK" API Application as of 20.1) or has been granted WebSDK Access
  2. A folder (zone) where the user has been granted the following permissions: View, Read, Write, Create, Revoke (for the revoke action), and Private Key Read (for the pickup action when CSR is service generated)
  3. Policy applied to the folder which specifies:
    1. CA Template that Trust Protection Platform will use to enroll certificate requests submitted by VCert
    2. Subject DN values for Organizational Unit (OU), Organization (O), City (L), State (ST) and Country (C)
    3. Management Type not locked or locked to 'Enrollment'
    4. Certificate Signing Request (CSR) Generation not locked or locked to 'Service Generated CSR'
    5. Generate Key/CSR on Application not locked or locked to 'No'
    6. (Recommended) Disable Automatic Renewal set to 'Yes'
    7. (Recommended) Key Bit Strength set to 2048 or higher
    8. (Recommended) Domain Whitelisting policy appropriately assigned

The requirement for the CA Template to be assigned by policy follows a long standing Venafi best practice which also met our design objective to keep the certificate request process simple for VCert users. If you require the ability to specify the CA Template with the request you can use the TPP REST APIs but please be advised this goes against Venafi recommendations.

Prerequisites for using with Venafi as a Service

  1. The Venafi as a Service REST API is accessible at https://api.venafi.cloud from the system where VCert will be executed.
  2. You have successfully registered for a Venafi as a Service account, have been granted at least the "Resource Owner" role, and know your API key.
  3. A CA Account and Issuing Template exist and have been configured with:
    1. Recommended Settings values for:
      1. Organizational Unit (OU)
      2. Organization (O)
      3. City/Locality (L)
      4. State/Province (ST)
      5. Country (C)
    2. Issuing Rules that:
      1. (Recommended) Limits Common Name and Subject Alternative Name to domains that are allowed by your organization
      2. (Recommended) Restricts the Key Length to 2048 or higher
      3. (Recommended) Does not allow Private Key Reuse
  4. An Application exists where you are among the owners, and you know the Application Name.
  5. An Issuing Template is assigned to the Application, and you know its API Alias.

Contributing to VCert

Venafi welcomes contributions from the developer community.

  1. Fork it to your account (https://github.com/Venafi/vcert-python/fork)
  2. Clone your fork (git clone [email protected]:youracct/vcert-python.git)
  3. Create a feature branch (git checkout -b your-branch-name)
  4. Implement and test your changes
  5. Commit your changes (git commit -am 'Added some cool functionality')
  6. Push to the branch (git push origin your-branch-name)
  7. Create a new Pull Request (https://github.com/youracct/vcert-python/pull/new/your-branch-name)

NOTE: While developing with vcert-python, it is helpful if you are using a virtualenv to install the vcert-python library from source in development mode with pip install --editable. See https://packaging.python.org/guides/installing-using-pip-and-virtual-environments/

License

Copyright © Venafi, Inc. All rights reserved.

VCert is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Please direct questions/comments to [email protected].

Comments
  • Add support for UPN and URI SAN types

    Add support for UPN and URI SAN types

    This PR updates vcert-python to support additional SAN types, userPrincipalName and URL. The UPN extension was added per MS OID specifications. A fix to the tests was also made to ensure that custom extensions are added; the enroll method in test_e2e.py was not properly evaluating the connection type and was skipping the code that added custom extensions to CSR. Also made a minor update to the README to help developers that are actively updating vcert-python itself. Note: this was developed and tested in Python 3 only.

    opened by wgoulet 8
  • TPPTokenConnection not able to customize ClientID

    TPPTokenConnection not able to customize ClientID

    TPPTokenConnection always sends client_id value equal to vcert-sdk. Paul Cleary requested that our products use a different client_id value, for tracking purposes to tell which integrations are seeing the most use in your customer base.

    However, TPPTokenConnection does not allow customizing client_id. TPPTokenConnection's constructor creates an Authentication object with only very limited customization options. The client which constructs TPPTokenConnection is not able to customize the Authentication object's client_id option.

    bug 
    opened by FooBarWidget 2
  • TPPTokenConnection not able to customize OAuth scope

    TPPTokenConnection not able to customize OAuth scope

    PROBLEM SUMMARY TPPTokenConnection always uses the certificate:manage,revoke;configuration:manage scope when POSTing to /vedauth/authorize/oauth. This is hardcoded, as opposed to customizable.

    On my TPP this causes an authorization issue. I'm not able to authorize with my TPP until I remove the 'configuration:manage' scope.

    COMMENTS/WORKAROUNDS TPPTokenConnection's constructor creates an Authentication object with no way to customize its scope property. As a result, the Authentication object always uses the default SCOPE constant, whose value is certificate:manage,revoke;configuration:manage.

    bug 
    opened by FooBarWidget 2
  • Examples link on pypi not working

    Examples link on pypi not working

    PROBLEM SUMMARY The link to examples, https://pypi.org/examples, on https://pypi.org/project/vcert/ does not work. The same link from github's readme is fine.

    STEPS TO REPRODUCE Click the link :)

    EXPECTED RESULTS

    ACTUAL RESULTS

    ENVIRONMENT DETAILS

    COMMENTS/WORKAROUNDS

    bug 
    opened by gdbarron 1
  • Support for central key/CSR generation or Service generation through Venafi TPP

    Support for central key/CSR generation or Service generation through Venafi TPP

    BUSINESS PROBLEM Most of my customers Certificate solutions use central key/CSR generation. They would like to use vcert-python but this is a blocker for them to deploy to their teams.

    PROPOSED SOLUTION Adding Service Generated Keys/CSRs to vcert-Python

    CURRENT ALTERNATIVES Customer is either building the certs manually through Venafi TPP UI and importing the certs manually or using the API to generate and then retrieve the cert then manually install the cert.

    VENAFI EXPERIENCE My customer has been using Venafi for well over a decade and uses Venafi on a daily basis to service their entire certificate inventory.

    enhancement 
    opened by GeoffVenafi 1
  • Fix policy management for VaaS after Org Unit removed

    Fix policy management for VaaS after Org Unit removed

    The Org Unit construct was dropped from Venafi as a Service last week and since then the certificate policy assignment feature has not worked. This update addresses that.

    opened by tr1ck3r 0
  • Adding ability to disable subject fields for VaaS

    Adding ability to disable subject fields for VaaS

    The following fields can now be disabled when creating a Policy Specification on VaaS:

    • organization
    • organizational units
    • localities
    • states
    • countries

    To do so, an array with an empty string must be passedd to the attribute, e.g.: { "subject": { "orgs": [ "" ], "orgUnits": [ "" ], "localities": [ "sample_locality" ] } }

    opened by rvelaVenafi 0
  • Adding support for PKCS1 format on private keys

    Adding support for PKCS1 format on private keys

    VaaS and TPP now default private key formats to PKCS8, a flag has been introduced allowing users to indicate they want the private key on the legacy PKCS1 format

    opened by rvelaVenafi 0
  • fix: remove infinite while loop and added error handling for retrieve_cert()

    fix: remove infinite while loop and added error handling for retrieve_cert()

    Working with TPP, trying to retrieve a non-existing cert would result in an infinite while loop with the following error message...

    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
    

    Instead we now log the error once and raise a RetrieveCertificateNotFound error.

    opened by mowdash 0
  • Replicate the VCert-go GetZonesByParent() feature

    Replicate the VCert-go GetZonesByParent() feature

    From https://github.com/Venafi/vcert/pull/220 description.

    BUSINESS PROBLEM Both TPP and VaaS can support situations where multiple policies have been defined for use by a single consumer. For TPP, this is done by creating multiple child policy folders in a common parent policy folder. For VaaS, this is done by assigning multiple Issuing Templates to a single application.

    PROPOSED SOLUTION The new GetZonesByParent methods for TPP and VaaS allow VCert client SDK consumers to enumerate those policies (zones) rather than having to know them individually.

    enhancement 
    opened by marcos-albornoz 0
  • Implement missing operations on Fake Connector

    Implement missing operations on Fake Connector

    The FakeConnector class is missing several operations. These operations should be returning mockup data for testing or demoing purposes.

    The following operations need implementation:

    • renew_cert(self, request, reuse_key=False):
    • read_zone_conf(self, tag):
    • import_cert(self, request):
    • get_policy(self, zone):
    • set_policy(self, zone, policy_spec):
    • request_ssh_cert(self, request):
    • retrieve_ssh_cert(self, request):
    • retrieve_ssh_config(self, ca_request):
    opened by rvelaVenafi 0
  • Refactor and optimize code

    Refactor and optimize code

    @warrior-abhijit has suggested several changes to vcert-python code. We can address them together in one issue.

    switch case will be better here ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488175192

    address todo now ?? as these are lot of if, else in here Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488176457

    regex match API would be lot better here and will remove lot of duplicate code below w.r.t regex match Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177162

    switch case may be here as well ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177862

    There is a handy Python wrapper called @property. This can be handy here. It would look like this: @property def base_url(self): # This is a getter return self._base_url

    @base_url.setter def base_url(self, value): # This is the setter method self._base_url = self._normalize_and_verify_base_url(value)

    It's nicer for refactoring and is pretty explicit. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r492452816

    How safe is it in this method to assume that these dictionary keys resolve? I'm new to this code, but I usually think thrice before trying to access a node in the dictionary without .get(). Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173154

    Just a tidbit of input: Python string objects have a .startswith() method that's easier to read than a regex, although a regex works fine. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173571

    No use in having a doc string if the parameters aren't described, IMO. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493174068

    enhancement 
    opened by rvelaVenafi 0
Releases(v0.15.0)
  • v0.15.0(May 17, 2022)

    • Support for contacts/owners when creating a policy on both TPP and VaaS
    • Support for legacy PKCS1 format on private keys when requesting a certificate
    • Support for SANs: email, IP, URI when creating a policy on VaaS
    • Ability to disable Subject fields on VaaS: organizations, org units, localities, states, countries
    • Support for EC private keys on VaaS
    • Support for Service generated related attributes on VaaS
    Source code(tar.gz)
    Source code(zip)
  • v0.14.0(Feb 4, 2022)

    • Dropped for support for Python 2 as it has reached end of life. New baseline is Python 3.6 and higher.
    • Added integration with sonarcloud for test coverage.
    • Added version history file.
    • Added test cases for json/yaml file parsing.
    • Minor issues fixed.
    Source code(tar.gz)
    Source code(zip)
  • v0.13.2(Dec 7, 2021)

    • Added the ability to fill up the empty attributes of the certificate request with the default values of the policy/zone where the certificate is going to be created. Supported values: organization, organizational units, locality, state, country
    Source code(tar.gz)
    Source code(zip)
  • v0.13.1(Nov 30, 2021)

  • v0.13.0(Nov 30, 2021)

  • v0.12.5(Oct 30, 2021)

  • v0.12.4(Oct 12, 2021)

    • Support for PKCS12 has been added to the response certificate. Calling certificate.as_pkcs12("password") shall return the certificate content as PKCS12.
    • Support for flexible validity periods has been added. Setting a value to request.validity_hours =144 will create a certificate with the specified expiration time period. Additionally, an issuer can be defined for TPP with request.issuer_hint=IssuerHint.MICROSOFT (or any value available on the IssuerHint object)
    Source code(tar.gz)
    Source code(zip)
  • v0.12.3(Sep 29, 2021)

  • v0.12.2(Sep 27, 2021)

  • v0.12.1(Sep 2, 2021)

    • Removed 'keyReuse' attribute for policy specification creation on VaaS.
    • Fixed an issue on the url validation that failed for urls containing upper cases.
    Source code(tar.gz)
    Source code(zip)
  • v0.12.0(Aug 17, 2021)

    Added support for SSH certificates in Trust Protection Platform through the new methods: request_ssh_cert() and retrieve_ssh_cert(). For usage examples check: https://github.com/Venafi/vcert-python/tree/master/examples/ssh_certificates

    Source code(tar.gz)
    Source code(zip)
  • v0.11.2(Jul 29, 2021)

  • v0.11.1(Jul 14, 2021)

    • Policy Management token scope separated from Certificate Management scope. Certificate Management scope is now default.
    • Fixed an issue where retrieving a policy from VaaS returned the domains values with appended regexes if the Policy was created using any of the vcert sdks. This issue does not happen if the policy was created using VaaS UI.
    • Fixed an issue where the Country regexes where being returned as the CN regexes when retrieving a Policy from VaaS.
    • Fixed an issue where certificates requested from VaaS would fail to be retrieved even when the status of the Certificate is ISSUED. A timeout has been added to the request, so the sdk will try to retrieve the Certificate for that long before failing.
    Source code(tar.gz)
    Source code(zip)
  • v0.11.0(May 12, 2021)

    Added Certificate Policy Management for Trust Protection Platform and Venafi as a Service through the new set_policy() and get_policy() methods of the CloudConnection, TPPConnection and TPPTokenConnection classes. For a usage example see https://github.com/Venafi/vcert-python/blob/master/examples/set_policy.py

    Source code(tar.gz)
    Source code(zip)
  • v0.10.0(Jan 23, 2021)

    This release updates the Venafi Cloud integration to use OutagePREDICT instead of DevOpsACCELERATE. The only impact to Venafi Cloud users of VCert-Python is the change in zone syntax. The zone is now "{ApplicationName}\{IssuingTemplateApiAlias}" (e.g. "My Application\My CIT").

    Source code(tar.gz)
    Source code(zip)
  • v0.9.1(Dec 15, 2020)

  • v0.9.0(Sep 30, 2020)

  • v0.8.0(Apr 10, 2020)

  • v0.7.4(Jan 14, 2020)

  • v0.7.0(Nov 20, 2019)

  • v0.6.9(Nov 18, 2019)

  • v0.6.7(Oct 29, 2019)

  • csr-fix(Sep 11, 2019)

  • v0.3.1(Jan 11, 2019)

  • v0.3.0(Jan 10, 2019)

Owner
Venafi, Inc.
Venafi solutions find, protect and secure machine identities for our hyper-connected world.
Venafi, Inc.
Student Enrollment Analysis System

SEAS Student Enrollment Analysis System Steps to start working: create a user name "seas", host name: local, password: seas, mark all checkbox -> go C

Md. Zakaria Kabir 3 Jul 12, 2022
36 key ergo split keyboard, designed around the Seeeduino Xiao platform

Slice36 Minimalist Split Keyboard 36 key ergo split keyboard, designed around the Seeeduino Xiao platform. Inspired by the Corne, Ferris, Ben Vallack'

null 54 Dec 21, 2022
Automate your Microsoft Learn Student Ambassadors event certificate with Python

Microsoft Learn Student Ambassador Certificate Automation This repo simply use a template certificate docx file and generates certificates both docx a

Muhammed Oğuz 24 Aug 24, 2022
Python implementation for Active Directory certificate abuse

Certipy is a Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). Based on the C# variant Ce

Oliver Lyak 1.3k Jan 9, 2023
Subcert is an subdomain enumeration tool, that finds all the subdomains from certificate transparency logs.

Subcert Subcert is a subdomain enumeration tool, that finds all the valid subdomains from certificate transparency logs. Table of contents Setup Demo

A3h1nt 59 Dec 16, 2022
Automatic certificate unpinning for Android apps

What is this? Script used to perform automatic certificate unpinning of an APK by adding a custom network security configuration that permits user-add

Antoine Neuenschwander 5 Jul 28, 2021
A blazing fast mass certificate generator script for the community ⚡

A simple mass certificate generator script for the community ⚡ Source Code · Docs · Raw Script Docs All you need Certificate Design a simple template

Tushar Nankani 24 Jan 3, 2023
A python script to simplify recompiling, signing and installing reverse engineered android apps.

urszi.py A python script to simplify the Uninstall Recompile Sign Zipalign Install cycle when reverse engineering Android applications. It checks if d

Ahmed Harmouche 4 Jun 24, 2022
Retrying is an Apache 2.0 licensed general-purpose retrying library, written in Python, to simplify the task of adding retry behavior to just about anything.

Retrying Retrying is an Apache 2.0 licensed general-purpose retrying library, written in Python, to simplify the task of adding retry behavior to just

Ray Holder 1.9k Dec 29, 2022
YunoHost is an operating system aiming to simplify as much as possible the administration of a server.

YunoHost is an operating system aiming to simplify as much as possible the administration of a server. This repository corresponds to the core code, written mostly in Python and Bash.

YunoHost 1.5k Jan 9, 2023
fetchmesh is a tool to simplify working with Atlas anchoring mesh measurements

A Python library for working with the RIPE Atlas anchoring mesh. fetchmesh is a tool to simplify working with Atlas anchoring mesh measurements. It ca

null 2 Aug 30, 2022
Iris-client - Python client for DFIR-IRIS

Python client dfir_iris_client offers a Python interface to communicate with IRI

DFIR-IRIS 11 Dec 22, 2022
Block fingerprinting for the beacon chain, for client identification & client diversity metrics

blockprint This is a repository for discussion and development of tools for Ethereum block fingerprinting. The primary aim is to measure beacon chain

Sigma Prime 49 Dec 8, 2022
Programmatic interface to Synapse services for Python

A Python client for Sage Bionetworks' Synapse, a collaborative, open-source research platform that allows teams to share data, track analyses, and collaborate

Sage Bionetworks 54 Dec 23, 2022
Import some key/value data to Prometheus custom-built Node Exporter in Python

About the app In one particilar project, i had to import some key/value data to Prometheus. So i have decided to create my custom-built Node Exporter

Hamid Hosseinzadeh 1 May 19, 2022
K2HASH Python library - NoSQL Key Value Store(KVS) library

k2hash_python Overview k2hash_python is an official python driver for k2hash. Install Firstly you must install the k2hash shared library: curl -o- htt

Yahoo! JAPAN 3 Oct 19, 2022
CaskDB is a disk-based, embedded, persistent, key-value store based on the Riak's bitcask paper, written in Python.

CaskDB - Disk based Log Structured Hash Table Store CaskDB is a disk-based, embedded, persistent, key-value store based on the Riak's bitcask paper, w

null 886 Dec 27, 2022
Easy installer for running Amazon AVS Device SDK on Raspberry Pi

avs-device-sdk-pi Scripts to enable Alexa voice activation using Picovoice Porcupine If you like the work, find it useful and if you would like to get

null 4 Nov 14, 2022
Vector tile server for the Wildfire Predictive Services Unit

wps-tileserver Vector tile server for the Wildfire Predictive Services Unit Overview The intention of this project is to: provide tools to easily spin

Province of British Columbia 6 Dec 20, 2022