AWS KMS backed Swarmauri certificate service for CSR signing, self-signed roots, X.509 parsing, and certificate verification.
Project description
Swarmauri AWS KMS Certificate Service
swarmauri_certservice_aws_kms provides AwsKmsCertService, a Swarmauri certificate service that signs X.509 certificate structures with AWS Key Management Service. It creates CSRs from exportable PEM keys, signs incoming PKCS#10 CSRs through AWS KMS Sign, creates self-signed CA certificates with KMS-backed keys, verifies issued certificates against trusted issuers, and parses X.509 metadata.
Why Swarmauri AWS KMS Certificate Service?
Use this package when certificate private keys should remain in AWS KMS while Swarmauri applications still need certificate issuance and verification workflows. The service maps Swarmauri KeyRef objects to AWS KMS KeyIds, supports KMS public-key retrieval, assembles X.509 certificates locally, and delegates signing operations to KMS.
FAQ
Q: How does the service find the AWS KMS key?
A: sign_cert() and create_self_signed() resolve the KMS KeyId from KeyRef.tags["aws_kms_key_id"], KeyRef.tags["kms_key_id"], or KeyRef.kid.
Q: Does CSR creation use AWS KMS?
A: No. create_csr() requires exportable private key material in KeyRef.material. AWS KMS is used for certificate signing and self-signed certificate signatures.
Q: Which signature algorithms are supported?
A: The service supports RSA-PSS-SHA256, RSA-SHA256, and ECDSA-P256-SHA256 mappings to AWS KMS signing algorithms.
Q: Can it verify certificates?
A: Yes. verify_cert() checks the validity window and, when an issuer certificate is provided through intermediates or trust_roots, verifies RSA PKCS#1, RSA-PSS, or ECDSA signatures with the issuer public key.
Features
AwsKmsCertServiceclass registered under theswarmauri.cert_servicesentry point.- AWS KMS client creation with optional region, endpoint URL, and boto3 session.
- CSR creation from exportable PEM private keys.
- CSR signing with KMS-backed issuer keys.
- Self-signed certificate creation with KMS-backed keys.
- KMS public-key retrieval for issuer SubjectPublicKeyInfo, SKID, and AKID.
- KeyId resolution from Swarmauri
KeyReffields. - PEM and DER certificate output.
- X.509 certificate parsing for subject, issuer, serial, validity, SANs, key usage, EKU, and CA metadata.
- Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- AWS credentials available to boto3 through environment variables, profiles, IAM role, or workload identity.
- AWS KMS keys that allow
kms:GetPublicKeyandkms:Sign. - KMS key specs compatible with the selected signature algorithm.
- Exportable PEM private key material when using
create_csr(). - Issuer subject metadata or CA certificate bytes when signing CSRs.
Installation
Install with uv:
uv add swarmauri_certservice_aws_kms
Install with pip:
pip install swarmauri_certservice_aws_kms
Usage
Sign an incoming CSR using a customer-managed AWS KMS key:
import asyncio
from datetime import datetime, timedelta, timezone
from pathlib import Path
from swarmauri_certservice_aws_kms import AwsKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = AwsKmsCertService(region_name="us-east-1")
kms_key = KeyRef(
kid="arn:aws:kms:us-east-1:123456789012:key/abcd-1234",
)
certificate = await service.sign_cert(
csr=Path("tenant.csr").read_bytes(),
ca_key=kms_key,
issuer={"CN": "Example KMS Issuing CA", "O": "Example Corp"},
not_after=int((datetime.now(timezone.utc) + timedelta(days=365)).timestamp()),
)
Path("tenant.pem").write_bytes(certificate)
asyncio.run(main())
Create a CSR from exportable key material:
import asyncio
from pathlib import Path
from swarmauri_certservice_aws_kms import AwsKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = AwsKmsCertService(region_name="us-east-1")
csr = await service.create_csr(
key=KeyRef(material=Path("intermediate-key.pem").read_bytes()),
subject={"CN": "Example Intermediate CA", "O": "Example Corp"},
san={"dns": ["intermediate.example.com"]},
)
Path("intermediate.csr").write_bytes(csr)
asyncio.run(main())
Create a self-signed root with a KMS-backed key:
import asyncio
from datetime import datetime, timedelta, timezone
from pathlib import Path
from swarmauri_certservice_aws_kms import AwsKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = AwsKmsCertService(region_name="us-east-1")
kms_key = KeyRef(kid="arn:aws:kms:us-east-1:123456789012:key/root-ca-key")
root = await service.create_self_signed(
key=kms_key,
subject={"CN": "Example Root CA", "O": "Example Corp"},
not_after=int((datetime.now(timezone.utc) + timedelta(days=3650)).timestamp()),
)
Path("root-ca.pem").write_bytes(root)
asyncio.run(main())
Related Packages
Certificate service packages:
- swarmauri_certservice_gcpkms
- swarmauri_certservice_stepca
- swarmauri_certs_azure
- swarmauri_certs_local_ca
- swarmauri_certs_x509
- swarmauri_certs_cfssl
Foundational packages:
- swarmauri_core defines certificate interfaces and
KeyRef. - swarmauri_base provides
CertServiceBaseand component registration. - swarmauri_standard provides standard Swarmauri components for certificate-adjacent workflows.
- swarmauri provides namespace imports and plugin discovery.
Best Practices
- Grant the KMS key limited permissions:
kms:GetPublicKey,kms:DescribeKey, andkms:Sign. - Store KMS key ARNs in
KeyRef.tags["aws_kms_key_id"]orKeyRef.kidinstead of scattering ARNs through application code. - Coordinate certificate validity with KMS key rotation and renew certificates before rotating customer-managed keys.
- Cache parsed certificate metadata and issued certificates to reduce repeated KMS signing calls.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certservice_aws_kms-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_certservice_aws_kms-0.11.0.dev1.tar.gz
- Upload date:
- Size: 16.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d71da8bf4500dbc1da212238f1b2f9a2241e5b5fe0080754eb78c8240fdd627a
|
|
| MD5 |
8f3eea4f975ea31e82a49dfe93ce8d4a
|
|
| BLAKE2b-256 |
fe8578323dd90a6ad46c5676e69a3a3ab92b9e52aa5de58ae0483f0f42063bf5
|
File details
Details for the file swarmauri_certservice_aws_kms-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certservice_aws_kms-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 15.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
96e52fce0f8be42146a0fa1858b9b31987b7e40429789082cdb0f21e42e9145f
|
|
| MD5 |
bcf624a220aee4a829119ce96e5c419f
|
|
| BLAKE2b-256 |
fa1a15bee7f72dfdc7dd1c78d21597bf6dc86d13770a627d6076a331c9c21565
|