def test_tpp_token_enroll_valid_hours(self):
cn = f"{random_word(10)}.venafi.example.com"
request = CertificateRequest(common_name=cn)
request.san_dns = [
"www.client.venafi.example.com", "ww1.client.venafi.example.com"
]
request.email_addresses = [
"*****@*****.**", "*****@*****.**"
]
request.ip_addresses = ["127.0.0.1", u"192.168.1.1"]
request.user_principal_names = [
"*****@*****.**", "*****@*****.**"
]
request.uniform_resource_identifiers = [
"https://www.venafi.com", "https://venafi.cloud"
]
custom_fields = [
CustomField(name="custom", value="pythonTest"),
CustomField(name="cfList", value="item2"),
CustomField(name="cfListMulti", value="tier1"),
CustomField(name="cfListMulti", value="tier4")
]
request.custom_fields = custom_fields
request.validity_hours = 144
request.issuer_hint = IssuerHint.MICROSOFT
expected_date = datetime.utcnow() + timedelta(
hours=request.validity_hours)
self.tpp_conn.request_cert(request, self.tpp_zone)
cert = self.tpp_conn.retrieve_cert(request)
cert = x509.load_pem_x509_certificate(cert.cert.encode(),
default_backend())
assert isinstance(cert, x509.Certificate)
expiration_date = cert.not_valid_after
# Due to some roundings and delays in operations on the server side, the certificate expiration date
# is not exactly the same as the one used in the request. A gap is allowed in this scenario to compensate
# this delays and roundings.
delta = timedelta(seconds=60)
date_format = "%Y-%m-%d %H:%M:%S"
self.assertAlmostEqual(
expected_date,
expiration_date,
delta=delta,
msg=f"Delta between expected and expiration date is too big."
f"\nExpected: {expected_date.strftime(date_format)}"
f"\nGot: {expiration_date.strftime(date_format)}"
f"\nExpected_delta: {delta.total_seconds()} seconds.")
def main():
# Get credentials from environment variables
user = environ.get('TPP_USER')
password = environ.get('TPP_PASSWORD')
url = environ.get('TPP_TOKEN_URL')
zone = environ.get("ZONE")
fake = environ.get('FAKE')
if fake:
# If fake is true, test connection will be used.
conn = Connection(fake=True)
else:
# If user and password are passed, you can get a new token from them.
# If access_token and refresh_token are passed, there is no need for the username and password.
# If only access_token is passed, the Connection will fail when token expires, as there is no way to refresh it.
conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={"verify": False})
# If your TPP server certificate signed with your own CA, or available only via proxy, you can specify
# a trust bundle using requests vars:
# conn = token_connection(url=url, user=user, password=password,
# http_request_kwargs={"verify": "/path-to/bundle.pem"})
request = CertificateRequest(common_name=random_word(10) + ".venafi.example.com")
request.san_dns = [u"www.client.venafi.example.com", u"ww1.client.venafi.example.com"]
request.email_addresses = [u"*****@*****.**", u"*****@*****.**"]
request.ip_addresses = [u"127.0.0.1", u"192.168.1.1"]
request.uniform_resource_identifiers = [u"http://wgtest.com",u"https://ragnartest.com"]
request.user_principal_names = [u"*****@*****.**", u"*****@*****.**"]
# Specify ordering certificates in chain. Root can be "first" or "last". By default its last. You also can
# specify "ignore" to ignore chain (supported only for Platform).
# configure key type, RSA example
request.key_type = KeyType(KeyType.RSA, 2048)
# or set it to ECDSA
#request.key_type = KeyType(KeyType.ECDSA, "p521")
# Update certificate request from zone
zone_config = conn.read_zone_conf(zone)
request.update_from_zone_config(zone_config)
conn.request_cert(request, zone)
# and wait for signing
t = time.time() + 300
while time.time() < t:
cert = conn.retrieve_cert(request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain, request.private_key_pem, sep="\n")
# and save into file
f = open("/tmp/cert.pem", "w")
f.write(cert.full_chain)
f = open("/tmp/cert.key", "w")
f.write(request.private_key_pem)
f.close()
if not isinstance(conn, FakeConnection):
# fake connection doesn`t support certificate renewing
print("Trying to renew certificate")
new_request = CertificateRequest(
cert_id=request.id,
)
conn.renew_cert(new_request)
while True:
new_cert = conn.retrieve_cert(new_request)
if new_cert:
break
else:
time.sleep(5)
print(new_cert.cert, new_request.private_key_pem, sep="\n")
fn = open("/tmp/new_cert.pem", "w")
fn.write(new_cert.cert)
fn = open("/tmp/new_cert.key", "w")
fn.write(new_request.private_key_pem)
fn.close()
if isinstance(conn, (TPPConnection or TPPTokenConnection)):
revocation_req = RevocationRequest(req_id=request.id, comments="Just for test")
print("Revoke", conn.revoke_cert(revocation_req))
print("Trying to sign CSR")
csr_pem = open("example-csr.pem", "rb").read()
csr_request = CertificateRequest(csr=csr_pem.decode())
# zone_config = conn.read_zone_conf(zone)
# request.update_from_zone_config(zone_config)
conn.request_cert(csr_request, zone)
# and wait for signing
while True:
cert = conn.retrieve_cert(csr_request)
if cert:
break
else:
time.sleep(5)
# after that print cert and key
print(cert.full_chain)
# and save into file
f = open("/tmp/signed-cert.pem", "w")
f.write(cert.full_chain)
f.close()
