Skip to main content

SCEP-oriented Swarmauri certificate service for PKCS#10 CSR creation, challenge-password enrollment requests, response capture, and X.509 parsing.

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_certservice_scep Discord

Swarmauri SCEP Certificate Service

swarmauri_certservice_scep provides ScepCertService, a Swarmauri certificate service for Simple Certificate Enrollment Protocol style workflows. The implemented service creates PKCS#10 CSRs, optionally embeds a challenge password, posts CSR bytes to a SCEP PKIOperation endpoint, and parses returned X.509 certificate metadata.

Why Swarmauri SCEP Certificate Service?

Use this package when Swarmauri applications need a small SCEP-oriented enrollment adapter without embedding enrollment URL construction and CSR creation in application code. It keeps CSR generation, challenge-password handling, SCEP endpoint submission, and certificate metadata extraction behind CertServiceBase.

FAQ

Q: Does this package build complete CMS or PKCS#7 SCEP envelopes?

A: No. The current implementation posts CSR bytes directly to pkiclient.exe?operation=PKIOperation and returns the responder content. If your responder requires full SCEP CMS wrapping or PKCS#7 response extraction, handle that in the surrounding enrollment layer.

Q: What CSR fields are supported?

A: create_csr() currently builds a CSR with the common name from subject["CN"], DNS SAN entries, and a challenge password from the call or service constructor.

Q: What does verify_cert() check?

A: The current verifier loads PEM or DER certificates and returns issuer, subject, serial, validity timestamps, and CA status. It does not perform chain validation or revocation checking.

Q: Which standards does the package document?

A: The service docstring references SCEP from RFC 8894, PKCS#10 CSR creation from RFC 2986, and X.509 certificate metadata from RFC 5280.

Features

  • ScepCertService class registered under the swarmauri.cert_services entry point.
  • PKCS#10 CSR creation from PEM private keys in KeyRef.material.
  • DNS subject alternative name support.
  • Challenge password support through the constructor or per-call argument.
  • SCEP PKIOperation HTTP submission through httpx.
  • PEM and DER certificate loading for verification and parsing.
  • Basic certificate metadata extraction for issuer, subject, serial, validity, and CA status.
  • Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.

Prerequisites

  • Reachable SCEP endpoint such as https://mdm.example.com/scep.
  • PEM private key material for each device, service, or workload enrolling.
  • RA challenge password when required by the SCEP service.
  • Additional CMS/PKCS#7 handling in the caller when required by the SCEP responder.

Installation

Install with uv:

uv add swarmauri_certservice_scep

Install with pip:

pip install swarmauri_certservice_scep

Usage

Create a CSR with a challenge password:

import asyncio
from pathlib import Path

from swarmauri_certservice_scep import ScepCertService
from swarmauri_core.crypto.types import KeyRef


async def main() -> None:
    service = ScepCertService(
        "https://scep.example.test",
        challenge_password="enroll-secret",
    )
    key_ref = KeyRef(material=Path("device.key.pem").read_bytes())

    csr = await service.create_csr(
        key=key_ref,
        subject={"CN": "device-001.example.com"},
        san={"dns": ["device-001.example.com", "device-001"]},
    )
    Path("device.csr").write_bytes(csr)


asyncio.run(main())

Submit a CSR to a SCEP endpoint:

import asyncio
from pathlib import Path

from swarmauri_certservice_scep import ScepCertService
from swarmauri_core.crypto.types import KeyRef


async def main() -> None:
    service = ScepCertService("https://scep.example.test")
    response_bytes = await service.sign_cert(
        Path("device.csr").read_bytes(),
        ca_key=KeyRef(kid="scep-ca"),
    )
    Path("device-response.bin").write_bytes(response_bytes)


asyncio.run(main())

Parse a returned certificate:

import asyncio
from pathlib import Path

from swarmauri_certservice_scep import ScepCertService


async def main() -> None:
    service = ScepCertService("https://scep.example.test")
    details = await service.parse_cert(Path("device.pem").read_bytes())

    print("Serial:", details["serial"])
    print("Subject:", details["subject"])


asyncio.run(main())

Related Packages

Certificate service packages:

Foundational packages:

Best Practices

  • Store challenge passwords and enrollment secrets in a secure vault.
  • Treat SCEP responses as opaque until decoded by a response parser appropriate for your responder.
  • Generate distinct key pairs per device or workload.
  • Pair SCEP enrollment with CRL or OCSP verification packages for lifecycle monitoring.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_certservice_scep-0.11.0.dev1.tar.gz (10.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_certservice_scep-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_certservice_scep-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 10.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certservice_scep-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 6b9a0751e2eafd466d24ae5338d89d2a2477f6eecdeec4c51ad7327abcac7bf0
MD5 95ca92d74e92e01b55efb20457d1904f
BLAKE2b-256 c84a43927bf6009e637d63351751c66a7fa955672be3571894661827a9de7685

See more details on using hashes here.

File details

Details for the file swarmauri_certservice_scep-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_certservice_scep-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 11.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certservice_scep-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 8231e6d3c0914aa8936c44e8f84bb828d4e9905059ada8b3800d082956fc9882
MD5 fa2cb756ed9f88d44fdfe8162e6e0dfb
BLAKE2b-256 f3e0f002d5503146c7bb38ae7650127f6b9bdd8cfb86e0091f6332a19bbc7ed7

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page