Reusable ACME and STIR/SHAKEN certificate issuance toolkit
Project description
STIR/SHAKEN Toolkit
Reusable Python tooling for STIR/SHAKEN certificate work:
- Local utilities for CSRs, fingerprints, certificate validation, and STI-PA SPC tokens.
- A Peeringhub ACME workflow for issuing STIR/SHAKEN certificates.
- Python modules that can be reused by higher-level automation.
The package is split into three layers:
acme_core: provider-neutral RFC 8555 ACME primitives.stir_shaken_acme: STIR/SHAKEN-specific TNAuthList, STI-PA, CSR, fingerprint, issuance, and validation helpers.stir_shaken_toolkit.providers.peeringhub: Peeringhub profile defaults and issuance convenience APIs.
Install
From the repository root:
python -m pip install -e .
Quick Start
Most operators using Peeringhub need four groups of values:
- STI-PA credentials:
STIPA_USER_ID,STIPA_PASSWORD, andSTIPA_SP_ID. - The service provider code:
STIPA_SPC. - The Peeringhub ACME key identifier, when Peeringhub provides one:
ACME_KID. - X.509 subject details such as organization, state, locality, and country.
Values can be supplied as CLI arguments, YAML config, or environment variables. For repeated use, a config file or environment variables are usually less noisy than long command lines.
export STIPA_USER_ID=sti-pa-user
export STIPA_PASSWORD=sti-pa-password
export STIPA_SP_ID=818H
export STIPA_SPC=818H
export ACME_KID=peeringhub-kid
export SHAKEN_SUBJECT_ORGANIZATION="Example Telecom"
export SHAKEN_SUBJECT_STATE=TX
export SHAKEN_SUBJECT_LOCALITY=Irving
Prepare or verify the Peeringhub ACME account:
stir-shaken-toolkit peeringhub-account-setup
Issue a certificate:
stir-shaken-toolkit peeringhub-issue
By default, issuance writes artifacts to a new timestamped directory such as
./shaken-cert-20260508T162900Z.
peeringhub-account-setup and peeringhub-issue contact Peeringhub ACME.
peeringhub-issue also contacts STI-PA.
Common Commands
Peeringhub issuance:
stir-shaken-toolkit peeringhub-account-setup
stir-shaken-toolkit peeringhub-issue
Local CSR and fingerprint utilities:
stir-shaken-toolkit csr --spc 818H
stir-shaken-toolkit inspect --csr shaken.csr
stir-shaken-toolkit inspect --certificate leaf.pem --json
stir-shaken-toolkit fingerprint --csr shaken.csr
stir-shaken-toolkit validate-key-pair --key account.key --certificate leaf.pem
stir-shaken-toolkit validate-key-pair --key shaken.key --csr shaken.csr
Standalone STI-PA SPC token request:
stir-shaken-toolkit spc-token \
--spc 818H \
--fingerprint "SHA256 AA:BB:..."
List STI-PA STI-CA companies:
stir-shaken-toolkit ca-list
stir-shaken-toolkit ca-list --json --details
Run stir-shaken-toolkit --help or
stir-shaken-toolkit <command> --help for the current command-line reference.
Configuration Basics
CLI values resolve in this order:
- Explicit command-line arguments.
--configYAML values.- Prefixed environment variables.
- Built-in defaults.
Environment variables use domain prefixes: STIPA_*, ACME_*, SHAKEN_*,
and PEERINGHUB_*.
--config is a global option, so place it before the subcommand:
stir-shaken-toolkit --config toolkit.yaml peeringhub-issue
See Configuration for the complete config and environment variable reference.
Important Files
Peeringhub ACME commands use a local account directory. If you do not configure one, the toolkit chooses a per-user platform default.
The durable credential is account.key. Protect it like any other private key.
Peeringhub issuance uses this key for ACME account authentication, the STI-PA
SPC token fingerprint, the CSR public key, and the final certificate/private-key
pair.
The account.json file is a recoverable cache of the Peeringhub ACME account
URL. If it is removed, the toolkit can recreate it by signing with the existing
account.key.
Peeringhub issuance writes certificate artifacts but does not write a private key into the issuance output directory. The issued certificate belongs with the ACME account key.
For installation and publication details, see Artifacts and Installation.
More Documentation
- Configuration: config keys, environment variables, defaults, and examples.
- Peeringhub Issuance: account setup, issuance behavior, and common failure diagnostics.
- Artifacts and Installation: output files and which certificate file to publish for STIR/SHAKEN use.
- Python API: using the reusable modules directly.
- Shell Completion: generated completion through
argcomplete.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file stir_shaken_toolkit-1.0.1.tar.gz.
File metadata
- Download URL: stir_shaken_toolkit-1.0.1.tar.gz
- Upload date:
- Size: 44.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5614d75dc8a123c2ec2d6f5dbb38c877e5217b3c5b7a813899d089592f8fd015
|
|
| MD5 |
f6093aca9438d2b2229f396900fce9f0
|
|
| BLAKE2b-256 |
d538c10373f2c21e834d3295f8d1b79a049417356cd66ec4eaaf34772cf5d754
|
Provenance
The following attestation bundles were made for stir_shaken_toolkit-1.0.1.tar.gz:
Publisher:
pypi.yml on peeringhub-io/stir-shaken-toolkit
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
stir_shaken_toolkit-1.0.1.tar.gz -
Subject digest:
5614d75dc8a123c2ec2d6f5dbb38c877e5217b3c5b7a813899d089592f8fd015 - Sigstore transparency entry: 1525524379
- Sigstore integration time:
-
Permalink:
peeringhub-io/stir-shaken-toolkit@614e65d837e5d76ddbd2dc66582fe9ed685c9c77 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/peeringhub-io
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yml@614e65d837e5d76ddbd2dc66582fe9ed685c9c77 -
Trigger Event:
push
-
Statement type:
File details
Details for the file stir_shaken_toolkit-1.0.1-py3-none-any.whl.
File metadata
- Download URL: stir_shaken_toolkit-1.0.1-py3-none-any.whl
- Upload date:
- Size: 50.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1d5f32ad9eaace7fb28bc3f0d5d5fa25b8f3de8f0575827908e92290808e66e2
|
|
| MD5 |
ef09cd16b08a5d274b7c6e74aed8821d
|
|
| BLAKE2b-256 |
e366cba9c729e20e0544e1167c42ae17df7ffe319821d746ecd5f0aaf1135bc0
|
Provenance
The following attestation bundles were made for stir_shaken_toolkit-1.0.1-py3-none-any.whl:
Publisher:
pypi.yml on peeringhub-io/stir-shaken-toolkit
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
stir_shaken_toolkit-1.0.1-py3-none-any.whl -
Subject digest:
1d5f32ad9eaace7fb28bc3f0d5d5fa25b8f3de8f0575827908e92290808e66e2 - Sigstore transparency entry: 1525524406
- Sigstore integration time:
-
Permalink:
peeringhub-io/stir-shaken-toolkit@614e65d837e5d76ddbd2dc66582fe9ed685c9c77 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/peeringhub-io
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yml@614e65d837e5d76ddbd2dc66582fe9ed685c9c77 -
Trigger Event:
push
-
Statement type:
