Microsoft AD CS oriented Swarmauri certificate service for PKCS#10 CSR creation, local self-signed certificates, verification, parsing, and auth setup.
Project description
Swarmauri Microsoft AD CS Certificate Service
swarmauri_certservice_ms_adcs provides MsAdcsCertService, a Swarmauri certificate service prepared for Microsoft Active Directory Certificate Services environments. The implemented runtime builds PKCS#10 CSRs from PEM private keys, creates local self-signed certificates, verifies issued certificates against supplied issuers, parses X.509 metadata, and configures HTTP authentication sessions for AD CS Web Enrollment endpoints.
Why Swarmauri Microsoft AD CS Certificate Service?
Use this package when Swarmauri workflows need AD CS-compatible certificate request generation and local certificate inspection while preserving room for NTLM, Kerberos, basic, or anonymous Web Enrollment access. It gives enterprise PKI code one CertServiceBase component for CSR creation, self-signed test certificates, verification, parsing, and authentication configuration.
FAQ
Q: Does this package submit CSRs to AD CS today?
A: Not yet. sign_cert() currently raises NotImplementedError. Use create_csr() to build the request, then submit it through your AD CS Web Enrollment workflow or a custom automation layer.
Q: Which authentication modes are modeled?
A: _AuthCfg supports basic and none with the built-in httpx client. NTLM and Kerberos require an httpx-compatible auth adapter before use.
Q: What certificate operations are implemented?
A: CSR creation, self-signed certificate creation, validity/signature verification with supplied issuer certificates, and metadata parsing are implemented.
Q: What certificate metadata can it parse?
A: parse_cert() returns serial, signature algorithm, issuer, subject, validity timestamps, SKID, AKID, SAN, EKU, key usage, and CA status when those extensions are present.
Features
MsAdcsCertServiceclass registered under theswarmauri.cert_servicesentry point.- HTTP session setup for AD CS-style endpoints with configurable TLS verification.
- NTLM, Kerberos/SPNEGO, HTTP Basic, and anonymous authentication modes.
- PKCS#10 CSR creation from PEM private keys in
KeyRef.material. - Subject support for standard X.509 distinguished-name fields and custom RDNs.
- SAN support for DNS, IP, URI, email, and UPN entries.
- Key usage and extended key usage CSR extension support.
- Local self-signed certificate generation for development and tests.
- Certificate verification with validity-window checks and optional issuer signature verification.
- X.509 metadata parsing for audit and observability workflows.
- Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- Network access to an AD CS Web Enrollment endpoint when integrating with a live CA.
- PEM private key material for CSR and self-signed certificate creation.
- Optional httpx-compatible adapters for NTLM or Kerberos/SPNEGO authentication.
- Issuer certificates when using signature verification.
Installation
Install with uv:
uv add swarmauri_certservice_ms_adcs
Install with pip:
pip install swarmauri_certservice_ms_adcs
Usage
Build a CSR for AD CS enrollment:
import asyncio
from pathlib import Path
from swarmauri_certservice_ms_adcs import MsAdcsCertService, _AuthCfg
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = MsAdcsCertService(
base_url="https://ca.example.com/certsrv",
default_template="WebServer",
auth=_AuthCfg(mode="none"),
)
key_ref = KeyRef(material=Path("webserver.key.pem").read_bytes())
csr = await service.create_csr(
key=key_ref,
subject={"C": "US", "O": "Example Corp", "CN": "app.example.com"},
san={"dns": ["app.example.com", "www.example.com"]},
)
Path("app.csr").write_bytes(csr)
asyncio.run(main())
Create and inspect a local self-signed certificate:
import asyncio
from pathlib import Path
from swarmauri_certservice_ms_adcs import MsAdcsCertService, _AuthCfg
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = MsAdcsCertService(
base_url="https://ca.example.com/certsrv",
auth=_AuthCfg(mode="none"),
)
key_ref = KeyRef(material=Path("dev.key.pem").read_bytes())
cert = await service.create_self_signed(
key=key_ref,
subject={"CN": "dev.example.com"},
)
parsed = await service.parse_cert(cert)
verification = await service.verify_cert(cert, trust_roots=[cert])
print(parsed["subject"])
print(verification["valid"])
asyncio.run(main())
Authentication Modes
ntlm: provide an httpx-compatible NTLM auth adapter before using_AuthCfg(mode="ntlm", username="DOMAIN\\user", password="...").kerberos: provide an httpx-compatible Kerberos/SPNEGO auth adapter before using_AuthCfg(mode="kerberos", spnego_delegate=True)when delegation is required.basic: provide_AuthCfg(mode="basic", username="...", password="...").none: provide_AuthCfg(mode="none")for anonymous, mTLS-fronted, or externally authenticated flows.
Related Packages
Certificate service packages:
- swarmauri_certservice_scep
- swarmauri_certservice_stepca
- swarmauri_certservice_aws_kms
- swarmauri_certservice_gcpkms
- swarmauri_certs_crlverifyservice
- swarmauri_certs_ocspverify
Foundational packages:
- swarmauri_core defines certificate interfaces and
KeyRef. - swarmauri_base provides
CertServiceBase. - swarmauri_standard provides standard Swarmauri components for certificate-adjacent workflows.
- swarmauri provides namespace imports and plugin discovery.
Best Practices
- Store AD CS credentials in a secure secrets manager and inject them at runtime.
- Treat generated CSRs, issued certificates, verification results, and parsed metadata as auditable enrollment artifacts.
- Regenerate CSRs before certificate expiry to leave time for manual approvals.
- Combine this service with CRL and OCSP verification packages for revocation visibility.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certservice_ms_adcs-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_certservice_ms_adcs-0.11.0.dev1.tar.gz
- Upload date:
- Size: 14.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
86db71667e983229cc7a5415b42e55aac3a9194ddacfddf4ab8ad6d53c3a2ee5
|
|
| MD5 |
939c8dbbe0bfe45d63010da1ed664a2c
|
|
| BLAKE2b-256 |
5632b8ebc49009be2e7c7765ceec00b776a907f1ccfa596c055658f72f39b7ce
|
File details
Details for the file swarmauri_certservice_ms_adcs-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certservice_ms_adcs-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4bc828ad7185d0af2ce58fcd07190b4b910d329b1181ff3f95e15c132b70606f
|
|
| MD5 |
52dfe3f3004cfc0913ffb973dcea0b52
|
|
| BLAKE2b-256 |
ec927a480e0df05ba523ea6f8501be05cca6e7217b19aadc1fdc66397b33af79
|