SCEP-oriented Swarmauri certificate service for PKCS#10 CSR creation, challenge-password enrollment requests, response capture, and X.509 parsing.
Project description
Swarmauri SCEP Certificate Service
swarmauri_certservice_scep provides ScepCertService, a Swarmauri certificate service for Simple Certificate Enrollment Protocol style workflows. The implemented service creates PKCS#10 CSRs, optionally embeds a challenge password, posts CSR bytes to a SCEP PKIOperation endpoint, and parses returned X.509 certificate metadata.
Why Swarmauri SCEP Certificate Service?
Use this package when Swarmauri applications need a small SCEP-oriented enrollment adapter without embedding enrollment URL construction and CSR creation in application code. It keeps CSR generation, challenge-password handling, SCEP endpoint submission, and certificate metadata extraction behind CertServiceBase.
FAQ
Q: Does this package build complete CMS or PKCS#7 SCEP envelopes?
A: No. The current implementation posts CSR bytes directly to pkiclient.exe?operation=PKIOperation and returns the responder content. If your responder requires full SCEP CMS wrapping or PKCS#7 response extraction, handle that in the surrounding enrollment layer.
Q: What CSR fields are supported?
A: create_csr() currently builds a CSR with the common name from subject["CN"], DNS SAN entries, and a challenge password from the call or service constructor.
Q: What does verify_cert() check?
A: The current verifier loads PEM or DER certificates and returns issuer, subject, serial, validity timestamps, and CA status. It does not perform chain validation or revocation checking.
Q: Which standards does the package document?
A: The service docstring references SCEP from RFC 8894, PKCS#10 CSR creation from RFC 2986, and X.509 certificate metadata from RFC 5280.
Features
ScepCertServiceclass registered under theswarmauri.cert_servicesentry point.- PKCS#10 CSR creation from PEM private keys in
KeyRef.material. - DNS subject alternative name support.
- Challenge password support through the constructor or per-call argument.
- SCEP
PKIOperationHTTP submission throughhttpx. - PEM and DER certificate loading for verification and parsing.
- Basic certificate metadata extraction for issuer, subject, serial, validity, and CA status.
- Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- Reachable SCEP endpoint such as
https://mdm.example.com/scep. - PEM private key material for each device, service, or workload enrolling.
- RA challenge password when required by the SCEP service.
- Additional CMS/PKCS#7 handling in the caller when required by the SCEP responder.
Installation
Install with uv:
uv add swarmauri_certservice_scep
Install with pip:
pip install swarmauri_certservice_scep
Usage
Create a CSR with a challenge password:
import asyncio
from pathlib import Path
from swarmauri_certservice_scep import ScepCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = ScepCertService(
"https://scep.example.test",
challenge_password="enroll-secret",
)
key_ref = KeyRef(material=Path("device.key.pem").read_bytes())
csr = await service.create_csr(
key=key_ref,
subject={"CN": "device-001.example.com"},
san={"dns": ["device-001.example.com", "device-001"]},
)
Path("device.csr").write_bytes(csr)
asyncio.run(main())
Submit a CSR to a SCEP endpoint:
import asyncio
from pathlib import Path
from swarmauri_certservice_scep import ScepCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = ScepCertService("https://scep.example.test")
response_bytes = await service.sign_cert(
Path("device.csr").read_bytes(),
ca_key=KeyRef(kid="scep-ca"),
)
Path("device-response.bin").write_bytes(response_bytes)
asyncio.run(main())
Parse a returned certificate:
import asyncio
from pathlib import Path
from swarmauri_certservice_scep import ScepCertService
async def main() -> None:
service = ScepCertService("https://scep.example.test")
details = await service.parse_cert(Path("device.pem").read_bytes())
print("Serial:", details["serial"])
print("Subject:", details["subject"])
asyncio.run(main())
Related Packages
Certificate service packages:
- swarmauri_certservice_ms_adcs
- swarmauri_certservice_stepca
- swarmauri_certs_acme
- swarmauri_certs_crlverifyservice
- swarmauri_certs_ocspverify
- swarmauri_certs_x509
Foundational packages:
- swarmauri_core defines certificate interfaces and
KeyRef. - swarmauri_base provides
CertServiceBase. - swarmauri provides namespace imports and plugin discovery.
Best Practices
- Store challenge passwords and enrollment secrets in a secure vault.
- Treat SCEP responses as opaque until decoded by a response parser appropriate for your responder.
- Generate distinct key pairs per device or workload.
- Pair SCEP enrollment with CRL or OCSP verification packages for lifecycle monitoring.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certservice_scep-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_certservice_scep-0.11.0.dev1.tar.gz
- Upload date:
- Size: 10.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b9a0751e2eafd466d24ae5338d89d2a2477f6eecdeec4c51ad7327abcac7bf0
|
|
| MD5 |
95ca92d74e92e01b55efb20457d1904f
|
|
| BLAKE2b-256 |
c84a43927bf6009e637d63351751c66a7fa955672be3571894661827a9de7685
|
File details
Details for the file swarmauri_certservice_scep-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certservice_scep-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 11.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8231e6d3c0914aa8936c44e8f84bb828d4e9905059ada8b3800d082956fc9882
|
|
| MD5 |
fa2cb756ed9f88d44fdfe8162e6e0dfb
|
|
| BLAKE2b-256 |
f3e0f002d5503146c7bb38ae7650127f6b9bdd8cfb86e0091f6332a19bbc7ed7
|