def main():
# Get credentials from environment variables
url = environ.get('TPP_TOKEN_URL')
user = environ.get('TPP_USER')
password = environ.get('TPP_PASSWORD')
zone = environ.get('TPP_ZONE')
server_trust_bundle = environ.get('TPP_TRUST_BUNDLE')
# Connection will be chosen automatically based on which arguments are passed.
# If token is passed Venafi Cloud connection will be used.
# If user, password, and URL Venafi Platform (TPP) will be used.
# If your TPP server certificate signed with your own CA, or available only via proxy, you can specify
# a trust bundle using http_request_kwargs.
conn = venafi_connection(
url=url,
user=user,
password=password,
http_request_kwargs={'verify': server_trust_bundle})
# Build a Certificate request
request = CertificateRequest(
common_name=f"{random_word(10)}.venafi.example.com")
# Set the request to use a service generated CSR
request.csr_origin = CSR_ORIGIN_SERVICE
# Include some Subject Alternative Names
request.san_dns = [
"www.dns.venafi.example.com", "ww1.dns.venafi.example.com"
]
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
request.uniform_resource_identifiers = [
"http://wgtest.uri.com", "https://ragnartest.uri.com"
]
request.user_principal_names = [
"*****@*****.**", "*****@*****.**"
]
# Specify whether or not to return the private key. It is False by default.
# A password should be defined for the private key if include_private_key is True.
request.include_private_key = True
request.key_password = '******'
# Specify ordering certificates in chain. Root can be CHAIN_OPTION_FIRST ("first")
# or CHAIN_OPTION_LAST ("last"). By default it is CHAIN_OPTION_LAST.
# You can also specify CHAIN_OPTION_IGNORE ("ignore") to ignore chain (supported only for TPP).
# request.chain_option = CHAIN_OPTION_FIRST
# To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs
# request.custom_fields = [
# CustomField(name="Cost Center", value="ABC123"),
# CustomField(name="Environment", value="Production"),
# CustomField(name="Environment", value="Staging")
# ]
#
# Update certificate request from zone.
zone_config = conn.read_zone_conf(zone)
request.update_from_zone_config(zone_config)
# Request the certificate.
conn.request_cert(request, zone)
# Wait for the certificate to be retrieved.
# This operation may take some time to return, as it waits until the certificate is ISSUED or it timeout.
# Timeout is 180s by default. Can be changed using:
# request.timeout = 300
cert = conn.retrieve_cert(request)
# Print the certificate
print(cert.full_chain)
# Save it into a file
f = open("./cert.pem", "w")
f.write(cert.full_chain)
f.close()
print("Trying to renew certificate")
new_request = CertificateRequest(cert_id=request.id)
# The renewal request should use a service generated CSR as well
# This may not be necessary and depends entirely on the settings of your Policy/Zone
new_request.csr_origin = CSR_ORIGIN_SERVICE
conn.renew_cert(new_request)
new_cert = conn.retrieve_cert(new_request)
print(new_cert.cert)
fn = open("./new_cert.pem", "w")
fn.write(new_cert.cert)
fn.close()
def enroll(conn,
zone,
cn=None,
private_key=None,
public_key=None,
password=None,
csr=None,
custom_fields=None,
service_generated_csr=False):
request = CertificateRequest(common_name=cn,
private_key=private_key,
key_password=password)
if custom_fields:
request.custom_fields = custom_fields
request.san_dns = [
"www.client.venafi.example.com", "ww1.client.venafi.example.com"
]
if isinstance(conn, (FakeConnection, TPPConnection, TPPTokenConnection)):
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
request.user_principal_names = [
"*****@*****.**", "*****@*****.**"
]
request.uniform_resource_identifiers = [
"https://www.venafi.com", "https://venafi.cloud"
]
if csr:
request.csr = csr
elif service_generated_csr:
request.csr_origin = CSR_ORIGIN_SERVICE
request.include_private_key = True
conn.request_cert(request, zone)
cert = conn.retrieve_cert(request)
with open("./cert.pem", "w") as f:
f.write(cert.full_chain)
with open("./cert.key", "w") as f2:
if request.include_private_key:
assert cert.key is not None
f2.write(cert.key)
else:
f2.write(request.private_key_pem)
cert = x509.load_pem_x509_certificate(cert.cert.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
t2 = [x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)]
assert t1 == t2
cert_public_key_pem = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode()
if isinstance(public_key, string_types):
public_key = public_key.encode()
if public_key:
source_public_key_pem = serialization.load_pem_public_key(
public_key, default_backend()).public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo).decode(
)
else:
source_public_key_pem = request.public_key_pem if not service_generated_csr else None
print(source_public_key_pem)
print(cert_public_key_pem)
if not service_generated_csr:
assert source_public_key_pem == cert_public_key_pem
private_key_pem = request.private_key_pem if not service_generated_csr else None
return request.id, private_key_pem, cert, cert_public_key_pem, request.cert_guid
