#1 quality TLS certs while you wait, for the discerning tester
You wrote a cool network client or server. It encrypts connections using TLS. Your test suite needs to make TLS connections to itself.
Uh oh. Your test suite probably doesn’t have a valid TLS certificate. Now what?
trustme is a tiny Python package that does one thing: it gives you a fake certificate authority (CA) that you can use to generate fake TLS certs to use in your tests. Well, technically they’re real certs, they’re just signed by your CA, which nobody trusts. But you can trust it. Trust me.
Install: pip install -U trustme
Bug tracker and source code: https://github.com/python-trio/trustme
Tested on: Python 2.7 and Python 3.5+, CPython and PyPy
License: MIT or Apache 2, your choice.
Code of conduct: Contributors are requested to follow our code of conduct in all project spaces.
import trustme # ----- Creating certs ----- # Look, you just created your certificate authority! ca = trustme.CA() # And now you issued a cert signed by this fake CA # https://en.wikipedia.org/wiki/Example.org server_cert = ca.issue_cert(u"test-host.example.org") # That's it! # ----- Using your shiny new certs ----- # You can configure SSL context objects to trust this CA: ca.configure_trust(ssl_context) # Or configure them to present the server certificate server_cert.configure_cert(ssl_context) # You can use standard library or PyOpenSSL context objects here, # trustme is happy either way. # ----- or ----- # Save the PEM-encoded data to a file to use in non-Python test # suites: ca.cert_pem.write_to_path("ca.pem") server_cert.private_key_and_cert_chain_pem.write_to_path("server.pem") # ----- or ----- # Put the PEM-encoded data in a temporary file, for libraries that # insist on that: with ca.cert_pem.tempfile() as ca_temp_path: requests.get("https://...", verify=ca_temp_path)
Command line usage:
$ # Certs may be generated from anywhere. Here's where we are: $ pwd /tmp $ # ----- Creating certs ----- $ python -m trustme Generated a certificate for 'localhost', '127.0.0.1', '::1' Configure your server to use the following files: cert=/tmp/server.pem key=/tmp/server.key Configure your client to use the following files: cert=/tmp/client.pem $ # ----- Using certs ----- $ gunicorn --keyfile server.key --certfile server.pem app:app $ curl --cacert client.pem https://localhost:8000/ Hello, world!
Should I use these certs for anything real? Certainly not.
Why not just use self-signed certificates? These are more realistic. You don’t have to disable your certificate validation code in your test suite, which is good because you want to test what you run in production, and you would never disable your certificate validation code in production, right? Plus, they’re just as easy to work with. Actually easier, in many cases.
What if I want to test how my code handles some bizarre TLS configuration? Sure, I’m happy to extend the API to give more control over the generated certificates, at least as long as it doesn’t turn into a second-rate re-export of everything in cryptography. (If you need a fully general X.509 library, then they do a great job at that.) Let’s talk, or send a PR.
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size trustme-0.7.0-py2.py3-none-any.whl (15.8 kB)||File type Wheel||Python version py2.py3||Upload date||Hashes View|
|Filename, size trustme-0.7.0.tar.gz (27.9 kB)||File type Source||Python version None||Upload date||Hashes View|
Hashes for trustme-0.7.0-py2.py3-none-any.whl