Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

Related tags

Miscellaneouspythoncertificatespypi-packagevenafi-platformvenafi-cloudmachine-identity-management
Overview

Venafi Apache 2.0 License Community Supported Compatible with TPP 17.3+ & VaaS
This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!

VCert Python

VCert Python is a Python library and SDK designed to simplify key generation and enrollment of machine identities (also known as SSL/TLS certificates and keys) that comply with enterprise security policy by using the Venafi Trust Protection Platform or Venafi as a Service.

This implementation is based on the original Go library, https://github.com/Venafi/vcert.

Compatibility

VCert supports Python 3, and Python 2.7 (when the future module is installed). VCert releases are tested using the latest version of Trust Protection Platform. The latest VCert release should be compatible with Trust Protection Platform 17.3 or higher based on the subset of API methods it consumes.

Installation

Get the library using pip:
pip install vcert

You also can install latest version from github:
pip install https://github.com/Venafi/vcert-python/archive/master.zip

If installation fails collecting dependancies, make sure your python setuptools is up to date. Run the following command to upgrade to the latest version of setuptools. pip install setuptools -U

Usage example

For code samples of programmatic use, please review the files in /examples.

  • For Trust Protection Platform, the zone format is the DN of a policy with or without the "\VED\Policy" prefix (e.g. "\VED\Policy\Certificates\VCert" or simply "Certificates\VCert")
  • For Venafi as a Service, the zone format is the name of an OutagePREDICT Application and the API Alias of an Issuing Template assigned to it delimited by a single backslash character (e.g. "My Application\My CIT")

Prerequisites for using with Trust Protection Platform

  1. A user account that has an authentication token with "certificate:manage,revoke" scope (i.e. access to the "Venafi VCert SDK" API Application as of 20.1) or has been granted WebSDK Access
  2. A folder (zone) where the user has been granted the following permissions: View, Read, Write, Create, Revoke (for the revoke action), and Private Key Read (for the pickup action when CSR is service generated)
  3. Policy applied to the folder which specifies:
    1. CA Template that Trust Protection Platform will use to enroll certificate requests submitted by VCert
    2. Subject DN values for Organizational Unit (OU), Organization (O), City (L), State (ST) and Country (C)
    3. Management Type not locked or locked to 'Enrollment'
    4. Certificate Signing Request (CSR) Generation not locked or locked to 'Service Generated CSR'
    5. Generate Key/CSR on Application not locked or locked to 'No'
    6. (Recommended) Disable Automatic Renewal set to 'Yes'
    7. (Recommended) Key Bit Strength set to 2048 or higher
    8. (Recommended) Domain Whitelisting policy appropriately assigned

The requirement for the CA Template to be assigned by policy follows a long standing Venafi best practice which also met our design objective to keep the certificate request process simple for VCert users. If you require the ability to specify the CA Template with the request you can use the TPP REST APIs but please be advised this goes against Venafi recommendations.

Prerequisites for using with Venafi as a Service

  1. The Venafi as a Service REST API is accessible at https://api.venafi.cloud from the system where VCert will be executed.
  2. You have successfully registered for a Venafi as a Service account, have been granted at least the "Resource Owner" role, and know your API key.
  3. A CA Account and Issuing Template exist and have been configured with:
    1. Recommended Settings values for:
      1. Organizational Unit (OU)
      2. Organization (O)
      3. City/Locality (L)
      4. State/Province (ST)
      5. Country (C)
    2. Issuing Rules that:
      1. (Recommended) Limits Common Name and Subject Alternative Name to domains that are allowed by your organization
      2. (Recommended) Restricts the Key Length to 2048 or higher
      3. (Recommended) Does not allow Private Key Reuse
  4. An Application exists where you are among the owners, and you know the Application Name.
  5. An Issuing Template is assigned to the Application, and you know its API Alias.

Contributing to VCert

Venafi welcomes contributions from the developer community.

  1. Fork it to your account (https://github.com/Venafi/vcert-python/fork)
  2. Clone your fork (git clone [email protected]:youracct/vcert-python.git)
  3. Create a feature branch (git checkout -b your-branch-name)
  4. Implement and test your changes
  5. Commit your changes (git commit -am 'Added some cool functionality')
  6. Push to the branch (git push origin your-branch-name)
  7. Create a new Pull Request (https://github.com/youracct/vcert-python/pull/new/your-branch-name)

NOTE: While developing with vcert-python, it is helpful if you are using a virtualenv to install the vcert-python library from source in development mode with pip install --editable. See https://packaging.python.org/guides/installing-using-pip-and-virtual-environments/

License

Copyright © Venafi, Inc. All rights reserved.

VCert is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Please direct questions/comments to [email protected].

Comments
  • Add support for UPN and URI SAN types

    Add support for UPN and URI SAN types

    This PR updates vcert-python to support additional SAN types, userPrincipalName and URL. The UPN extension was added per MS OID specifications. A fix to the tests was also made to ensure that custom extensions are added; the enroll method in test_e2e.py was not properly evaluating the connection type and was skipping the code that added custom extensions to CSR. Also made a minor update to the README to help developers that are actively updating vcert-python itself. Note: this was developed and tested in Python 3 only.

    opened by wgoulet 8
  • TPPTokenConnection not able to customize ClientID

    TPPTokenConnection not able to customize ClientID

    TPPTokenConnection always sends client_id value equal to vcert-sdk. Paul Cleary requested that our products use a different client_id value, for tracking purposes to tell which integrations are seeing the most use in your customer base.

    However, TPPTokenConnection does not allow customizing client_id. TPPTokenConnection's constructor creates an Authentication object with only very limited customization options. The client which constructs TPPTokenConnection is not able to customize the Authentication object's client_id option.

    bug 
    opened by FooBarWidget 2
  • TPPTokenConnection not able to customize OAuth scope

    TPPTokenConnection not able to customize OAuth scope

    PROBLEM SUMMARY TPPTokenConnection always uses the certificate:manage,revoke;configuration:manage scope when POSTing to /vedauth/authorize/oauth. This is hardcoded, as opposed to customizable.

    On my TPP this causes an authorization issue. I'm not able to authorize with my TPP until I remove the 'configuration:manage' scope.

    COMMENTS/WORKAROUNDS TPPTokenConnection's constructor creates an Authentication object with no way to customize its scope property. As a result, the Authentication object always uses the default SCOPE constant, whose value is certificate:manage,revoke;configuration:manage.

    bug 
    opened by FooBarWidget 2
  • Examples link on pypi not working

    Examples link on pypi not working

    PROBLEM SUMMARY The link to examples, https://pypi.org/examples, on https://pypi.org/project/vcert/ does not work. The same link from github's readme is fine.

    STEPS TO REPRODUCE Click the link :)

    EXPECTED RESULTS

    ACTUAL RESULTS

    ENVIRONMENT DETAILS

    COMMENTS/WORKAROUNDS

    bug 
    opened by gdbarron 1
  • Support for central key/CSR generation or Service generation through Venafi TPP

    Support for central key/CSR generation or Service generation through Venafi TPP

    BUSINESS PROBLEM Most of my customers Certificate solutions use central key/CSR generation. They would like to use vcert-python but this is a blocker for them to deploy to their teams.

    PROPOSED SOLUTION Adding Service Generated Keys/CSRs to vcert-Python

    CURRENT ALTERNATIVES Customer is either building the certs manually through Venafi TPP UI and importing the certs manually or using the API to generate and then retrieve the cert then manually install the cert.

    VENAFI EXPERIENCE My customer has been using Venafi for well over a decade and uses Venafi on a daily basis to service their entire certificate inventory.

    enhancement 
    opened by GeoffVenafi 1
  • Fix policy management for VaaS after Org Unit removed

    Fix policy management for VaaS after Org Unit removed

    The Org Unit construct was dropped from Venafi as a Service last week and since then the certificate policy assignment feature has not worked. This update addresses that.

    opened by tr1ck3r 0
  • Adding ability to disable subject fields for VaaS

    Adding ability to disable subject fields for VaaS

    The following fields can now be disabled when creating a Policy Specification on VaaS:

    • organization
    • organizational units
    • localities
    • states
    • countries

    To do so, an array with an empty string must be passedd to the attribute, e.g.: { "subject": { "orgs": [ "" ], "orgUnits": [ "" ], "localities": [ "sample_locality" ] } }

    opened by rvelaVenafi 0
  • Adding support for PKCS1 format on private keys

    Adding support for PKCS1 format on private keys

    VaaS and TPP now default private key formats to PKCS8, a flag has been introduced allowing users to indicate they want the private key on the legacy PKCS1 format

    opened by rvelaVenafi 0
  • fix: remove infinite while loop and added error handling for retrieve_cert()

    fix: remove infinite while loop and added error handling for retrieve_cert()

    Working with TPP, trying to retrieve a non-existing cert would result in an infinite while loop with the following error message...

    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}

    Instead we now log the error once and raise a RetrieveCertificateNotFound error.

    opened by mowdash 0
  • Replicate the VCert-go GetZonesByParent() feature

    Replicate the VCert-go GetZonesByParent() feature

    From https://github.com/Venafi/vcert/pull/220 description.

    BUSINESS PROBLEM Both TPP and VaaS can support situations where multiple policies have been defined for use by a single consumer. For TPP, this is done by creating multiple child policy folders in a common parent policy folder. For VaaS, this is done by assigning multiple Issuing Templates to a single application.

    PROPOSED SOLUTION The new GetZonesByParent methods for TPP and VaaS allow VCert client SDK consumers to enumerate those policies (zones) rather than having to know them individually.

    enhancement 
    opened by marcos-albornoz 0
  • Implement missing operations on Fake Connector

    Implement missing operations on Fake Connector

    The FakeConnector class is missing several operations. These operations should be returning mockup data for testing or demoing purposes.

    The following operations need implementation:

    • renew_cert(self, request, reuse_key=False):
    • read_zone_conf(self, tag):
    • import_cert(self, request):
    • get_policy(self, zone):
    • set_policy(self, zone, policy_spec):
    • request_ssh_cert(self, request):
    • retrieve_ssh_cert(self, request):
    • retrieve_ssh_config(self, ca_request):
    opened by rvelaVenafi 0
  • Refactor and optimize code

    Refactor and optimize code

    @warrior-abhijit has suggested several changes to vcert-python code. We can address them together in one issue.

    switch case will be better here ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488175192

    address todo now ?? as these are lot of if, else in here Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488176457

    regex match API would be lot better here and will remove lot of duplicate code below w.r.t regex match Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177162

    switch case may be here as well ? Originally posted by @warrior-abhijit in https://github.com/Venafi/vcert-python/pull/41#discussion_r488177862

    There is a handy Python wrapper called @property. This can be handy here. It would look like this: @property def base_url(self): # This is a getter return self._base_url

    @base_url.setter def base_url(self, value): # This is the setter method self._base_url = self._normalize_and_verify_base_url(value)

    It's nicer for refactoring and is pretty explicit. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r492452816

    How safe is it in this method to assume that these dictionary keys resolve? I'm new to this code, but I usually think thrice before trying to access a node in the dictionary without .get(). Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173154

    Just a tidbit of input: Python string objects have a .startswith() method that's easier to read than a regex, although a regex works fine. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493173571

    No use in having a doc string if the parameters aren't described, IMO. Originally posted by @HELGAHR in https://github.com/Venafi/vcert-python/pull/41#discussion_r493174068

    enhancement 
    opened by rvelaVenafi 0
Releases(v0.15.0)

  • v0.15.0(May 17, 2022)

    • Support for contacts/owners when creating a policy on both TPP and VaaS
    • Support for legacy PKCS1 format on private keys when requesting a certificate
    • Support for SANs: email, IP, URI when creating a policy on VaaS
    • Ability to disable Subject fields on VaaS: organizations, org units, localities, states, countries
    • Support for EC private keys on VaaS
    • Support for Service generated related attributes on VaaS
    Source code(tar.gz)
    Source code(zip)

  • v0.14.0(Feb 4, 2022)

    • Dropped for support for Python 2 as it has reached end of life. New baseline is Python 3.6 and higher.
    • Added integration with sonarcloud for test coverage.
    • Added version history file.
    • Added test cases for json/yaml file parsing.
    • Minor issues fixed.
    Source code(tar.gz)
    Source code(zip)

  • v0.13.2(Dec 7, 2021)

    • Added the ability to fill up the empty attributes of the certificate request with the default values of the policy/zone where the certificate is going to be created. Supported values: organization, organizational units, locality, state, country
    Source code(tar.gz)
    Source code(zip)

  • v0.13.1(Nov 30, 2021)

  • v0.13.0(Nov 30, 2021)

  • v0.12.5(Oct 30, 2021)

  • v0.12.4(Oct 12, 2021)

    • Support for PKCS12 has been added to the response certificate. Calling certificate.as_pkcs12("password") shall return the certificate content as PKCS12.
    • Support for flexible validity periods has been added. Setting a value to request.validity_hours =144 will create a certificate with the specified expiration time period. Additionally, an issuer can be defined for TPP with request.issuer_hint=IssuerHint.MICROSOFT (or any value available on the IssuerHint object)
    Source code(tar.gz)
    Source code(zip)

  • v0.12.3(Sep 29, 2021)

  • v0.12.2(Sep 27, 2021)

  • v0.12.1(Sep 2, 2021)

    • Removed 'keyReuse' attribute for policy specification creation on VaaS.
    • Fixed an issue on the url validation that failed for urls containing upper cases.
    Source code(tar.gz)
    Source code(zip)

  • v0.12.0(Aug 17, 2021)

    Added support for SSH certificates in Trust Protection Platform through the new methods: request_ssh_cert() and retrieve_ssh_cert(). For usage examples check: https://github.com/Venafi/vcert-python/tree/master/examples/ssh_certificates

    Source code(tar.gz)
    Source code(zip)

  • v0.11.2(Jul 29, 2021)

  • v0.11.1(Jul 14, 2021)

    • Policy Management token scope separated from Certificate Management scope. Certificate Management scope is now default.
    • Fixed an issue where retrieving a policy from VaaS returned the domains values with appended regexes if the Policy was created using any of the vcert sdks. This issue does not happen if the policy was created using VaaS UI.
    • Fixed an issue where the Country regexes where being returned as the CN regexes when retrieving a Policy from VaaS.
    • Fixed an issue where certificates requested from VaaS would fail to be retrieved even when the status of the Certificate is ISSUED. A timeout has been added to the request, so the sdk will try to retrieve the Certificate for that long before failing.
    Source code(tar.gz)
    Source code(zip)

  • v0.11.0(May 12, 2021)

    Added Certificate Policy Management for Trust Protection Platform and Venafi as a Service through the new set_policy() and get_policy() methods of the CloudConnection, TPPConnection and TPPTokenConnection classes. For a usage example see https://github.com/Venafi/vcert-python/blob/master/examples/set_policy.py

    Source code(tar.gz)
    Source code(zip)

  • v0.10.0(Jan 23, 2021)

    This release updates the Venafi Cloud integration to use OutagePREDICT instead of DevOpsACCELERATE. The only impact to Venafi Cloud users of VCert-Python is the change in zone syntax. The zone is now "{ApplicationName}\{IssuingTemplateApiAlias}" (e.g. "My Application\My CIT").

    Source code(tar.gz)
    Source code(zip)

  • v0.9.1(Dec 15, 2020)

  • v0.9.0(Sep 30, 2020)

  • v0.8.0(Apr 10, 2020)

  • v0.7.4(Jan 14, 2020)

  • v0.7.1(Nov 22, 2019)

  • v0.7.0(Nov 20, 2019)

  • v0.6.9(Nov 18, 2019)

  • v0.6.7(Oct 29, 2019)

  • csr-fix(Sep 11, 2019)

  • v0.6.0(Jul 1, 2019)

  • v0.3.1(Jan 11, 2019)

  • v0.3.0(Jan 10, 2019)

Owner
Venafi, Inc.
Venafi solutions find, protect and secure machine identities for our hyper-connected world.
Venafi, Inc.
GitHub Repository
Telegram bot for Urban Dictionary.

Urban Dictionary Bot @TheUrbanDictBot A star ⭐ from you means a lot to us! Telegram bot for Urban Dictionary. Usage Deploy to Heroku Tap on above butt

Stark Bots 17 Nov 24, 2022
Simple Python script I use to manage and build my Reflux themes.

Simple Python script I use to manage and build my Reflux themes. Built for personal use, but anyone can easily fork and tweak to suit thier needs.

Ire 3 Jan 25, 2022
Final project in KAIST AI class

mmodal_mixer MLP-Mixer based Multi-modal image-text retrieval Image: Original image is cropped with 16 x 16 patch size without overlap. Then, it is re

SuperSuperMoon 5 May 30, 2022
A small Blender addon for changing an object's local orientation while in edit mode

A small Blender addon for changing an object's local orientation while in edit mode.

Jonathan Lampel 50 Jan 06, 2023
reproduces experiments from

Installation To enable importing of modules, from the parent directory execute: pip install -e . To install requirements: python -m pip install requir

Meta Research 15 Aug 11, 2022
Check a discord message and give it a percentage of scamminess

scamChecker Check a discord message and give it a percentage of scamminess Run the bot, and run the command !scamCheck and it will return a percentage

3 Sep 22, 2022
Xkcd.py - Script to generate wallpapers based on XKCD comics

xkcd.py Script to generate wallpapers based on XKCD comics Usage python3 xkcd.py

Gideon Wolfe 11 Sep 06, 2022
Open source tools to allow working with ESP devices in the browser

ESP Web Tools Allow flashing ESPHome or other ESP-based firmwares via the browser. Will automatically detect the board type and select a supported fir

ESPHome 195 Dec 31, 2022
Kubernetes-native workflow automation platform for complex, mission-critical data and ML processes at scale. It has been battle-tested at Lyft, Spotify, Freenome, and others and is truly open-source.

Flyte Flyte is a workflow automation platform for complex, mission-critical data, and ML processes at scale Home Page · Quick Start · Documentation ·

Flyte 3k Jan 01, 2023
Oregon State University grade distributions from Fall 2018 through Summer 2021

Oregon State University Grades Oregon State University grade distributions from Fall 2018 through Summer 2021 obtained through a Freedom Of Informatio

Melanie Gutzmann 5 May 02, 2022
GWCelery is a simple and reliable package for annotating and orchestrating LIGO/Virgo alerts

GWCelery is a simple and reliable package for annotating and orchestrating LIGO/Virgo alerts, built from widely used open source components.

Min-A Cho Zeno 1 Nov 02, 2021
Desenvolvendo as habilidades básicas de programação visando a construção de aplicativos por meio de bibliotecas apropriadas à Ciência de Dados.

Algoritmos e Introdução à Computação Ementa: Conceitos básicos sobre algoritmos e métodos para sua construção. Tipos de dados e variáveis. Estruturas

Dyanna Cruz 1 Jan 06, 2022
Sample python script for monitoring Rocketchat database and get statistics of users.

rocketchat-DB-monitoring Sample python script for monitoring Rocketchat database and get statistics of users. 1. Update python: yum check-update && yu

Mojtaba Taleghani 1 Apr 12, 2022
jonny is a stack based programming language

jonny-lang jonny is a stack based programming language also compiling jonny files currently doesnt work on windows you can probably compile jonny file

1 Nov 24, 2021
run-js Goal: The Easiest Way to Run JavaScript in Python

run-js Goal: The Easiest Way to Run JavaScript in Python features Stateless Async JS Functions No Intermediary Files Functional Programming CommonJS a

Daniel J. Dufour 9 Aug 16, 2022
Nateve transpiler developed with python.

Adam Adam is a Nateve Programming Language transpiler developed using Python. Nateve Nateve is a new general domain programming language open source i

Nateve 7 Jan 15, 2022
A tool to guide you for team selection based on mana and ruleset using your owned cards.

Splinterlands_Teams_Guide A tool to guide you for team selection based on mana and ruleset using your owned cards. Built With This project is built wi

Ruzaini Subri 3 Jul 30, 2022
Python Freecell Solver

freecell Python Freecell Solver Very early version right now. You can pick a board by changing the file path in freecell.py If you want to play a game

Ben Kaufman 1 Nov 26, 2021
Exploiting Linksys WRT54G using a vulnerability I found.

Exploiting Linksys WRT54G Exploit # Install the requirements. pip install -r requirements.txt ROUTER_HOST=192.169.1.1 ROUTER_USERNAME=admin ROUTER_P

Elon Gliksberg 31 May 29, 2022
Simple python code for compile brainfuck program.

py-brainf*ck Just a basic compiled that compiles your brainf*ck codes and gives you informations about memory, used cells, dumped version, logs etc...

4 Jun 13, 2021