Skip to main content

Microsoft AD CS oriented Swarmauri certificate service for PKCS#10 CSR creation, local self-signed certificates, verification, parsing, and auth setup.

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_certservice_ms_adcs Discord

Swarmauri Microsoft AD CS Certificate Service

swarmauri_certservice_ms_adcs provides MsAdcsCertService, a Swarmauri certificate service prepared for Microsoft Active Directory Certificate Services environments. The implemented runtime builds PKCS#10 CSRs from PEM private keys, creates local self-signed certificates, verifies issued certificates against supplied issuers, parses X.509 metadata, and configures HTTP authentication sessions for AD CS Web Enrollment endpoints.

Why Swarmauri Microsoft AD CS Certificate Service?

Use this package when Swarmauri workflows need AD CS-compatible certificate request generation and local certificate inspection while preserving room for NTLM, Kerberos, basic, or anonymous Web Enrollment access. It gives enterprise PKI code one CertServiceBase component for CSR creation, self-signed test certificates, verification, parsing, and authentication configuration.

FAQ

Q: Does this package submit CSRs to AD CS today?

A: Not yet. sign_cert() currently raises NotImplementedError. Use create_csr() to build the request, then submit it through your AD CS Web Enrollment workflow or a custom automation layer.

Q: Which authentication modes are modeled?

A: _AuthCfg supports basic and none with the built-in httpx client. NTLM and Kerberos require an httpx-compatible auth adapter before use.

Q: What certificate operations are implemented?

A: CSR creation, self-signed certificate creation, validity/signature verification with supplied issuer certificates, and metadata parsing are implemented.

Q: What certificate metadata can it parse?

A: parse_cert() returns serial, signature algorithm, issuer, subject, validity timestamps, SKID, AKID, SAN, EKU, key usage, and CA status when those extensions are present.

Features

  • MsAdcsCertService class registered under the swarmauri.cert_services entry point.
  • HTTP session setup for AD CS-style endpoints with configurable TLS verification.
  • NTLM, Kerberos/SPNEGO, HTTP Basic, and anonymous authentication modes.
  • PKCS#10 CSR creation from PEM private keys in KeyRef.material.
  • Subject support for standard X.509 distinguished-name fields and custom RDNs.
  • SAN support for DNS, IP, URI, email, and UPN entries.
  • Key usage and extended key usage CSR extension support.
  • Local self-signed certificate generation for development and tests.
  • Certificate verification with validity-window checks and optional issuer signature verification.
  • X.509 metadata parsing for audit and observability workflows.
  • Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.

Prerequisites

  • Network access to an AD CS Web Enrollment endpoint when integrating with a live CA.
  • PEM private key material for CSR and self-signed certificate creation.
  • Optional httpx-compatible adapters for NTLM or Kerberos/SPNEGO authentication.
  • Issuer certificates when using signature verification.

Installation

Install with uv:

uv add swarmauri_certservice_ms_adcs

Install with pip:

pip install swarmauri_certservice_ms_adcs

Usage

Build a CSR for AD CS enrollment:

import asyncio
from pathlib import Path

from swarmauri_certservice_ms_adcs import MsAdcsCertService, _AuthCfg
from swarmauri_core.crypto.types import KeyRef


async def main() -> None:
    service = MsAdcsCertService(
        base_url="https://ca.example.com/certsrv",
        default_template="WebServer",
        auth=_AuthCfg(mode="none"),
    )
    key_ref = KeyRef(material=Path("webserver.key.pem").read_bytes())

    csr = await service.create_csr(
        key=key_ref,
        subject={"C": "US", "O": "Example Corp", "CN": "app.example.com"},
        san={"dns": ["app.example.com", "www.example.com"]},
    )
    Path("app.csr").write_bytes(csr)


asyncio.run(main())

Create and inspect a local self-signed certificate:

import asyncio
from pathlib import Path

from swarmauri_certservice_ms_adcs import MsAdcsCertService, _AuthCfg
from swarmauri_core.crypto.types import KeyRef


async def main() -> None:
    service = MsAdcsCertService(
        base_url="https://ca.example.com/certsrv",
        auth=_AuthCfg(mode="none"),
    )
    key_ref = KeyRef(material=Path("dev.key.pem").read_bytes())

    cert = await service.create_self_signed(
        key=key_ref,
        subject={"CN": "dev.example.com"},
    )
    parsed = await service.parse_cert(cert)
    verification = await service.verify_cert(cert, trust_roots=[cert])

    print(parsed["subject"])
    print(verification["valid"])


asyncio.run(main())

Authentication Modes

  • ntlm: provide an httpx-compatible NTLM auth adapter before using _AuthCfg(mode="ntlm", username="DOMAIN\\user", password="...").
  • kerberos: provide an httpx-compatible Kerberos/SPNEGO auth adapter before using _AuthCfg(mode="kerberos", spnego_delegate=True) when delegation is required.
  • basic: provide _AuthCfg(mode="basic", username="...", password="...").
  • none: provide _AuthCfg(mode="none") for anonymous, mTLS-fronted, or externally authenticated flows.

Related Packages

Certificate service packages:

Foundational packages:

Best Practices

  • Store AD CS credentials in a secure secrets manager and inject them at runtime.
  • Treat generated CSRs, issued certificates, verification results, and parsed metadata as auditable enrollment artifacts.
  • Regenerate CSRs before certificate expiry to leave time for manual approvals.
  • Combine this service with CRL and OCSP verification packages for revocation visibility.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_certservice_ms_adcs-0.11.0.dev1.tar.gz (14.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_certservice_ms_adcs-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_certservice_ms_adcs-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 14.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certservice_ms_adcs-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 86db71667e983229cc7a5415b42e55aac3a9194ddacfddf4ab8ad6d53c3a2ee5
MD5 939c8dbbe0bfe45d63010da1ed664a2c
BLAKE2b-256 5632b8ebc49009be2e7c7765ceec00b776a907f1ccfa596c055658f72f39b7ce

See more details on using hashes here.

File details

Details for the file swarmauri_certservice_ms_adcs-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_certservice_ms_adcs-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certservice_ms_adcs-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 4bc828ad7185d0af2ce58fcd07190b4b910d329b1181ff3f95e15c132b70606f
MD5 52dfe3f3004cfc0913ffb973dcea0b52
BLAKE2b-256 ec927a480e0df05ba523ea6f8501be05cca6e7217b19aadc1fdc66397b33af79

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page