CSR-only Swarmauri certificate service for PKCS#10 request generation with SANs, challenge passwords, and PEM or DER output.
Project description
Swarmauri CSR Only Certificate Service
swarmauri_certs_csronly provides CsrOnlyService, a focused Swarmauri certificate service for creating PKCS#10 certificate signing requests. It builds CSRs from PEM private key material in KeyRef, applies X.509 subject fields, optional subject alternative names, optional challenge passwords, and basic constraints, then returns PEM or DER CSR bytes.
Why Swarmauri CSR Only Certificate Service?
Use this package when certificate issuance is handled by another CA, but Swarmauri code still needs a standards-aligned CSR generator. It is useful for ACME, CFSSL, Azure, local CA, and enterprise PKI workflows where key generation and request construction are separated from certificate signing.
FAQ
Q: Does this package issue certificates?
A: No. CsrOnlyService does not create self-signed certificates, sign certificates, verify certificates, or parse certificates. Those methods intentionally raise NotImplementedError.
Q: What key types does it support?
A: supports() advertises RSA-2048, RSA-3072, RSA-4096, EC-P256, and Ed25519. Runtime signing uses cryptography private keys loaded from PEM bytes.
Q: Which CSR features are implemented?
A: CSR creation supports common subject fields, DNS/IP/URI/email SAN entries, PKCS#9 challenge password attributes, basic constraints, and DER or PEM output.
Q: Which standards does it align with?
A: The implementation targets PKCS#10 CSR generation from RFC 2986 and X.509 naming and extension semantics from RFC 5280.
Features
CsrOnlyServiceclass registered under theswarmauri.certsentry point.- PKCS#10 CSR creation from PEM private keys stored in
KeyRef.material. - Subject support for CN, C, ST, L, O, OU, and emailAddress.
- Subject alternative name support for DNS names, IP addresses, URIs, and email addresses.
- Optional challenge password attribute support.
- Optional basic constraints extension support.
- PEM output by default with DER output available through
output_der=True. - Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- PEM-encoded private key material available locally or through a
KeyRefprovider. - Subject metadata for the certificate request.
- Optional SAN entries, basic constraints, and challenge passwords when required by the target CA.
Installation
Install with uv:
uv add swarmauri_certs_csronly
Install with pip:
pip install swarmauri_certs_csronly
Usage
Generate a CSR for example.com with DNS SAN entries:
import asyncio
from pathlib import Path
from swarmauri_certs_csronly import CsrOnlyService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = CsrOnlyService()
key_ref = KeyRef(material=Path("example-key.pem").read_bytes())
csr = await service.create_csr(
key=key_ref,
subject={"CN": "example.com", "O": "Example Inc"},
san={"dns": ["example.com", "www.example.com"]},
)
Path("example.csr").write_bytes(csr)
asyncio.run(main())
Create a DER-encoded CSR with a challenge password and basic constraints:
import asyncio
from pathlib import Path
from swarmauri_certs_csronly import CsrOnlyService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = CsrOnlyService()
key_ref = KeyRef(material=Path("root-ca-key.pem").read_bytes())
csr = await service.create_csr(
key=key_ref,
subject={"CN": "Example Root CA"},
extensions={"basic_constraints": {"ca": True, "path_len": 0}},
challenge_password="change-me",
output_der=True,
)
Path("root-ca.csr.der").write_bytes(csr)
asyncio.run(main())
Related Packages
Certificate service packages:
- swarmauri_certs_acme
- swarmauri_certs_cfssl
- swarmauri_certs_x509
- swarmauri_certs_local_ca
- swarmauri_certs_self_signed
- swarmauri_certs_azure
Foundational packages:
- swarmauri_core defines certificate interfaces and
KeyRef. - swarmauri_base provides
CertServiceBase. - swarmauri provides namespace imports and plugin discovery.
Best Practices
- Generate new key pairs and CSRs ahead of certificate expiry to allow review and approval time.
- Store private keys securely;
KeyRefcan reference hardware or cloud KMS backed material rather than local files. - Keep SAN lists minimal and auditable to avoid overly broad certificate requests.
- Pair this service with a signing backend such as CFSSL, ACME, Azure, or a local CA package to form a complete issuance pipeline.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certs_csronly-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_certs_csronly-0.11.0.dev1.tar.gz
- Upload date:
- Size: 9.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
75fbb4546964c2b5a58f86295bfc176bdc202fe24f532ffe5643d72871c0cf19
|
|
| MD5 |
a500d6c43d842cb37025bd2f9a60b314
|
|
| BLAKE2b-256 |
1328c103ca70c57b89b79bb052f6a12d025f33bcc6808f536de25e3e7f132ee4
|
File details
Details for the file swarmauri_certs_csronly-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certs_csronly-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 10.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b2f13ec791a14596133f11905cea6accaf4962ffafbed6ca686758aac62a339
|
|
| MD5 |
80125733a3232ba785ad1e4321cee4d4
|
|
| BLAKE2b-256 |
81bdb3d0456038766ba06fdcad2f86ae3db79bfb0e0ef161824cb2a505477dfa
|