Exemple #1
0
    def test_cloud_enroll_service_generated_csr(self):
        cn = f"{random_word(10)}.venafi.example.com"
        password = '******'

        request = CertificateRequest(
            common_name=cn,
            key_password=password,
            country='US'
        )

        request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]
        request.csr_origin = CSR_ORIGIN_SERVICE

        self.cloud_conn.request_cert(request, self.cloud_zone)
        cert_object = self.cloud_conn.retrieve_cert(request)

        cert = x509.load_pem_x509_certificate(cert_object.cert.encode(), default_backend())
        assert isinstance(cert, x509.Certificate)
        t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
        t2 = [
            x509.NameAttribute(
                NameOID.COMMON_NAME, cn or RANDOM_DOMAIN
            )
        ]
        assert t1 == t2

        output = cert_object.as_pkcs12('FooBarPass123')
        log.info(f"PKCS12 created successfully for certificate with CN: {cn}")
def main():
    # Get credentials from environment variables
    url = environ.get(
        'VAAS_URL'
    )  # Optional, only use when connecting to a specific VaaS server
    api_key = environ.get('VAAS_APIKEY')
    zone = environ.get('VAAS_ZONE')

    # Connection will be chosen automatically based on which arguments are passed.
    # If api_key is passed, Venafi Cloud connection will be used.
    # url attribute is no required when connecting to production VaaS platform
    conn = venafi_connection(url=url, api_key=api_key)

    # Build a Certificate request
    request = CertificateRequest(
        common_name=f"{random_word(10)}.venafi.example.com")
    # Set the request to use a service generated CSR
    request.csr_origin = CSR_ORIGIN_SERVICE
    # A password should be defined for the private key to be generated.
    request.key_password = '******'
    # Include some Subject Alternative Names
    request.san_dns = [
        "www.dns.venafi.example.com", "ww1.dns.venafi.example.com"
    ]
    # Additional CSR attributes can be included:
    request.organization = "Venafi, Inc."
    request.organizational_unit = ["Product Management"]
    request.locality = "Salt Lake City"
    request.province = "Utah"  # This is the same as state
    request.country = "US"

    # Specify ordering certificates in chain. Root can be CHAIN_OPTION_FIRST ("first")
    # or CHAIN_OPTION_LAST ("last"). By default it is CHAIN_OPTION_LAST.
    # request.chain_option = CHAIN_OPTION_FIRST
    #
    # To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs
    # request.custom_fields = [
    #    CustomField(name="Cost Center", value="ABC123"),
    #    CustomField(name="Environment", value="Production"),
    #    CustomField(name="Environment", value="Staging")
    # ]
    #
    # Request the certificate.
    conn.request_cert(request, zone)
    # Wait for the certificate to be retrieved.
    # This operation may take some time to return, as it waits until the certificate is ISSUED or it timeout.
    # Timeout is 180s by default. Can be changed using:
    # request.timeout = 300
    cert = conn.retrieve_cert(request)

    # Print the certificate
    print(cert.full_chain)
    # Save it into a file
    f = open("./cert.pem", "w")
    f.write(cert.full_chain)
    f.close()
Exemple #3
0
def main():
    # Get credentials from environment variables
    url = environ.get('TPP_TOKEN_URL')
    user = environ.get('TPP_USER')
    password = environ.get('TPP_PASSWORD')
    zone = environ.get('TPP_ZONE')
    server_trust_bundle = environ.get('TPP_TRUST_BUNDLE')

    # Connection will be chosen automatically based on which arguments are passed.
    # If token is passed Venafi Cloud connection will be used.
    # If user, password, and URL Venafi Platform (TPP) will be used.
    # If your TPP server certificate signed with your own CA, or available only via proxy, you can specify
    # a trust bundle using http_request_kwargs.
    conn = venafi_connection(
        url=url,
        user=user,
        password=password,
        http_request_kwargs={'verify': server_trust_bundle})

    # Build a Certificate request
    request = CertificateRequest(
        common_name=f"{random_word(10)}.venafi.example.com")
    # Set the request to use a service generated CSR
    request.csr_origin = CSR_ORIGIN_SERVICE
    # Include some Subject Alternative Names
    request.san_dns = [
        "www.dns.venafi.example.com", "ww1.dns.venafi.example.com"
    ]
    request.email_addresses = [
        "*****@*****.**", "*****@*****.**"
    ]
    request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
    request.uniform_resource_identifiers = [
        "http://wgtest.uri.com", "https://ragnartest.uri.com"
    ]
    request.user_principal_names = [
        "*****@*****.**", "*****@*****.**"
    ]
    # Specify whether or not to return the private key. It is False by default.
    # A password should be defined for the private key if include_private_key is True.
    request.include_private_key = True
    request.key_password = '******'
    # Specify ordering certificates in chain. Root can be CHAIN_OPTION_FIRST ("first")
    # or CHAIN_OPTION_LAST ("last"). By default it is CHAIN_OPTION_LAST.
    # You can also specify CHAIN_OPTION_IGNORE ("ignore") to ignore chain (supported only for TPP).
    # request.chain_option = CHAIN_OPTION_FIRST
    # To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs
    # request.custom_fields = [
    #    CustomField(name="Cost Center", value="ABC123"),
    #    CustomField(name="Environment", value="Production"),
    #    CustomField(name="Environment", value="Staging")
    # ]
    #
    # Update certificate request from zone.
    zone_config = conn.read_zone_conf(zone)
    request.update_from_zone_config(zone_config)
    # Request the certificate.
    conn.request_cert(request, zone)

    # Wait for the certificate to be retrieved.
    # This operation may take some time to return, as it waits until the certificate is ISSUED or it timeout.
    # Timeout is 180s by default. Can be changed using:
    # request.timeout = 300
    cert = conn.retrieve_cert(request)

    # Print the certificate
    print(cert.full_chain)
    # Save it into a file
    f = open("./cert.pem", "w")
    f.write(cert.full_chain)
    f.close()

    print("Trying to renew certificate")
    new_request = CertificateRequest(cert_id=request.id)
    # The renewal request should use a service generated CSR as well
    # This may not be necessary and depends entirely on the settings of your Policy/Zone
    new_request.csr_origin = CSR_ORIGIN_SERVICE
    conn.renew_cert(new_request)
    new_cert = conn.retrieve_cert(new_request)
    print(new_cert.cert)
    fn = open("./new_cert.pem", "w")
    fn.write(new_cert.cert)
    fn.close()
Exemple #4
0
def enroll(conn,
           zone,
           cn=None,
           private_key=None,
           public_key=None,
           password=None,
           csr=None,
           custom_fields=None,
           service_generated_csr=False):
    request = CertificateRequest(common_name=cn,
                                 private_key=private_key,
                                 key_password=password)

    if custom_fields:
        request.custom_fields = custom_fields

    request.san_dns = [
        "www.client.venafi.example.com", "ww1.client.venafi.example.com"
    ]
    if isinstance(conn, (FakeConnection, TPPConnection, TPPTokenConnection)):
        request.email_addresses = [
            "*****@*****.**", "*****@*****.**"
        ]
        request.ip_addresses = ["127.0.0.1", "192.168.1.1"]
        request.user_principal_names = [
            "*****@*****.**", "*****@*****.**"
        ]
        request.uniform_resource_identifiers = [
            "https://www.venafi.com", "https://venafi.cloud"
        ]

    if csr:
        request.csr = csr
    elif service_generated_csr:
        request.csr_origin = CSR_ORIGIN_SERVICE
        request.include_private_key = True

    conn.request_cert(request, zone)
    cert = conn.retrieve_cert(request)
    with open("./cert.pem", "w") as f:
        f.write(cert.full_chain)
    with open("./cert.key", "w") as f2:
        if request.include_private_key:
            assert cert.key is not None
            f2.write(cert.key)
        else:
            f2.write(request.private_key_pem)

    cert = x509.load_pem_x509_certificate(cert.cert.encode(),
                                          default_backend())
    assert isinstance(cert, x509.Certificate)
    t1 = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
    t2 = [x509.NameAttribute(NameOID.COMMON_NAME, cn or RANDOM_DOMAIN)]
    assert t1 == t2

    cert_public_key_pem = cert.public_key().public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo).decode()
    if isinstance(public_key, string_types):
        public_key = public_key.encode()
    if public_key:
        source_public_key_pem = serialization.load_pem_public_key(
            public_key, default_backend()).public_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PublicFormat.SubjectPublicKeyInfo).decode(
                )
    else:
        source_public_key_pem = request.public_key_pem if not service_generated_csr else None
    print(source_public_key_pem)
    print(cert_public_key_pem)

    if not service_generated_csr:
        assert source_public_key_pem == cert_public_key_pem
    private_key_pem = request.private_key_pem if not service_generated_csr else None

    return request.id, private_key_pem, cert, cert_public_key_pem, request.cert_guid