Skip to main content

Asynchronous Swarmauri certificate service for smallstep step-ca CSR creation, one-time-token signing requests, and X.509 certificate parsing.

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_certservice_stepca Discord

Swarmauri Step CA Certificate Service

swarmauri_certservice_stepca provides StepCaCertService, an asynchronous Swarmauri certificate service for smallstep step-ca. It creates PKCS#10 certificate signing requests, submits them to the step-ca /1.0/sign API with a one-time token, and returns PEM or DER certificate bytes for workload, device, service, and internal PKI enrollment.

Why Swarmauri Step CA Certificate Service?

Use this package when a Swarmauri application needs step-ca certificate issuance without spreading CSR construction, token lookup, HTTP client handling, and certificate metadata parsing across application code. StepCaCertService keeps those operations behind the shared CertServiceBase interface so certificate automation can be composed with Swarmauri keys, verifiers, agents, and workflow components.

FAQ

Q: What step-ca API does this package call?

A: sign_cert() posts JSON to /1.0/sign, the step-ca certificate signing endpoint used for CSR-based X.509 issuance. The request includes the CSR and an authorization token supplied through opts={"ott": "..."} or a token_provider.

Q: Does this package create one-time tokens?

A: No. It consumes one-time tokens. Provide the token directly or pass an async token_provider that maps CSR claims to an issued token from your own step-ca, vault, identity, or provisioning layer.

Q: Which certificate fields can create_csr() build?

A: The CSR builder supports common X.509 subject attributes, DNS/IP/URI/email subject alternative names, challenge passwords, basic constraints, key usage, and extended key usage.

Q: Does verify_cert() perform full PKI path validation?

A: No. It loads PEM or DER certificates, checks the certificate validity window, and returns metadata. Use a dedicated verifier such as CRL or OCSP packages when you need revocation checks or chain policy enforcement.

Features

  • StepCaCertService registered under the swarmauri.cert_services entry point.
  • Async httpx client for step-ca /1.0/sign calls.
  • CSR generation for RSA, EC, and Ed25519 private keys.
  • Subject alternative names for DNS names, IP addresses, URIs, and email addresses.
  • Challenge password, basic constraints, key usage, and extended key usage support.
  • One-time-token handling through direct options or an async token provider.
  • Optional provisioner, custom template data, extra request payload fields, and validity-window overrides.
  • PEM response handling with optional DER conversion.
  • Basic PEM and DER certificate verification and parsing helpers.
  • Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.

Prerequisites

  • A reachable step-ca instance exposing /1.0/sign.
  • A provisioner configured for X.509 certificate signing.
  • A one-time token for each signing request, or a token provider that can create or retrieve one.
  • PEM private key material available through KeyRef.material.
  • Trust configuration for the step-ca TLS endpoint when it uses a private root.

Installation

Install with uv:

uv add swarmauri_certservice_stepca

Install with pip:

pip install swarmauri_certservice_stepca

Usage

Issue a certificate with an already issued one-time token:

import asyncio
from pathlib import Path

from swarmauri_certservice_stepca import StepCaCertService
from swarmauri_core.crypto.types import KeyRef


async def main() -> None:
    service = StepCaCertService(
        ca_url="https://ca.example",
        provisioner="devices",
        verify_tls="/etc/ssl/step-ca-root.pem",
    )
    key_ref = KeyRef(material=Path("device.key.pem").read_bytes())

    csr = await service.create_csr(
        key_ref,
        {"O": "Example Corp", "CN": "device-001.example.com"},
        san={"dns": ["device-001.example.com"], "uri": ["spiffe://example/device-001"]},
    )
    cert = await service.sign_cert(
        csr,
        key_ref,
        opts={"ott": "step-ca-one-time-token"},
    )

    Path("device.crt").write_bytes(cert)
    await service.aclose()


asyncio.run(main())

Map CSR claims to a token provider:

import asyncio
from pathlib import Path

from swarmauri_certservice_stepca import StepCaCertService
from swarmauri_core.crypto.types import KeyRef


async def token_provider(claims: dict) -> str:
    common_name = claims["sub"]
    return Path(f"otts/{common_name}.txt").read_text().strip()


async def main() -> None:
    service = StepCaCertService(
        "https://ca.example",
        provisioner="workloads",
        token_provider=token_provider,
        timeout_s=10.0,
    )
    key_ref = KeyRef(material=Path("workload.key.pem").read_bytes())
    csr = await service.create_csr(key_ref, {"CN": "worker-17"})
    cert = await service.sign_cert(
        csr,
        key_ref,
        opts={"template_data": {"env": "prod", "role": "worker"}},
    )

    Path("worker-17.crt").write_bytes(cert)
    await service.aclose()


asyncio.run(main())

Parse certificate metadata:

import asyncio
from pathlib import Path

from swarmauri_certservice_stepca import StepCaCertService


async def main() -> None:
    service = StepCaCertService("https://ca.example")
    result = await service.verify_cert(Path("worker-17.crt").read_bytes())
    details = await service.parse_cert(Path("worker-17.crt").read_bytes())

    print(result["valid"])
    print(details["subject"])
    await service.aclose()


asyncio.run(main())

Related Packages

Certificate service packages:

Foundational packages:

Best Practices

  • Retrieve one-time tokens just in time and avoid persisting them in source code or build logs.
  • Use verify_tls with the step-ca root bundle when the CA is internal.
  • Close the async client with aclose() after issuance bursts.
  • Keep certificate issuance separate from revocation checking; pair this package with OCSP or CRL verification packages for lifecycle monitoring.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_certservice_stepca-0.11.0.dev1.tar.gz (14.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_certservice_stepca-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_certservice_stepca-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 14.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certservice_stepca-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 82698c63cd56c25152be9cd41d77e83124bca485f80a243b1909b383c85dde16
MD5 0514e338b5a51f1232c151c94af2e0ba
BLAKE2b-256 3836978616ea55b3b568472b3808f2ed9e5fa65537453097338d479a440eacfe

See more details on using hashes here.

File details

Details for the file swarmauri_certservice_stepca-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_certservice_stepca-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certservice_stepca-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 be035367492e926105c7176c29e4854b4da651e6ddf034d43fbbf44031a22a95
MD5 9ac1b9793c8c8bf8f23d7a942c44571f
BLAKE2b-256 69971266f3eac0a7c95e07dbbb0ac5928220ee7d226ce9380a28e1729cedaaf3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page