def test_tpp_token_enroll_valid_hours(self): cn = f"{random_word(10)}.venafi.example.com" request = CertificateRequest(common_name=cn) request.san_dns = [ "www.client.venafi.example.com", "ww1.client.venafi.example.com" ] request.email_addresses = [ "*****@*****.**", "*****@*****.**" ] request.ip_addresses = ["127.0.0.1", u"192.168.1.1"] request.user_principal_names = [ "*****@*****.**", "*****@*****.**" ] request.uniform_resource_identifiers = [ "https://www.venafi.com", "https://venafi.cloud" ] custom_fields = [ CustomField(name="custom", value="pythonTest"), CustomField(name="cfList", value="item2"), CustomField(name="cfListMulti", value="tier1"), CustomField(name="cfListMulti", value="tier4") ] request.custom_fields = custom_fields request.validity_hours = 144 request.issuer_hint = IssuerHint.MICROSOFT expected_date = datetime.utcnow() + timedelta( hours=request.validity_hours) self.tpp_conn.request_cert(request, self.tpp_zone) cert = self.tpp_conn.retrieve_cert(request) cert = x509.load_pem_x509_certificate(cert.cert.encode(), default_backend()) assert isinstance(cert, x509.Certificate) expiration_date = cert.not_valid_after # Due to some roundings and delays in operations on the server side, the certificate expiration date # is not exactly the same as the one used in the request. A gap is allowed in this scenario to compensate # this delays and roundings. delta = timedelta(seconds=60) date_format = "%Y-%m-%d %H:%M:%S" self.assertAlmostEqual( expected_date, expiration_date, delta=delta, msg=f"Delta between expected and expiration date is too big." f"\nExpected: {expected_date.strftime(date_format)}" f"\nGot: {expiration_date.strftime(date_format)}" f"\nExpected_delta: {delta.total_seconds()} seconds.")
def main(): # Get credentials from environment variables user = environ.get('TPP_USER') password = environ.get('TPP_PASSWORD') url = environ.get('TPP_TOKEN_URL') zone = environ.get("ZONE") fake = environ.get('FAKE') if fake: # If fake is true, test connection will be used. conn = Connection(fake=True) else: # If user and password are passed, you can get a new token from them. # If access_token and refresh_token are passed, there is no need for the username and password. # If only access_token is passed, the Connection will fail when token expires, as there is no way to refresh it. conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={"verify": False}) # If your TPP server certificate signed with your own CA, or available only via proxy, you can specify # a trust bundle using requests vars: # conn = token_connection(url=url, user=user, password=password, # http_request_kwargs={"verify": "/path-to/bundle.pem"}) request = CertificateRequest(common_name=random_word(10) + ".venafi.example.com") request.san_dns = [u"www.client.venafi.example.com", u"ww1.client.venafi.example.com"] request.email_addresses = [u"*****@*****.**", u"*****@*****.**"] request.ip_addresses = [u"127.0.0.1", u"192.168.1.1"] request.uniform_resource_identifiers = [u"http://wgtest.com",u"https://ragnartest.com"] request.user_principal_names = [u"*****@*****.**", u"*****@*****.**"] # Specify ordering certificates in chain. Root can be "first" or "last". By default its last. You also can # specify "ignore" to ignore chain (supported only for Platform). # configure key type, RSA example request.key_type = KeyType(KeyType.RSA, 2048) # or set it to ECDSA #request.key_type = KeyType(KeyType.ECDSA, "p521") # Update certificate request from zone zone_config = conn.read_zone_conf(zone) request.update_from_zone_config(zone_config) conn.request_cert(request, zone) # and wait for signing t = time.time() + 300 while time.time() < t: cert = conn.retrieve_cert(request) if cert: break else: time.sleep(5) # after that print cert and key print(cert.full_chain, request.private_key_pem, sep="\n") # and save into file f = open("/tmp/cert.pem", "w") f.write(cert.full_chain) f = open("/tmp/cert.key", "w") f.write(request.private_key_pem) f.close() if not isinstance(conn, FakeConnection): # fake connection doesn`t support certificate renewing print("Trying to renew certificate") new_request = CertificateRequest( cert_id=request.id, ) conn.renew_cert(new_request) while True: new_cert = conn.retrieve_cert(new_request) if new_cert: break else: time.sleep(5) print(new_cert.cert, new_request.private_key_pem, sep="\n") fn = open("/tmp/new_cert.pem", "w") fn.write(new_cert.cert) fn = open("/tmp/new_cert.key", "w") fn.write(new_request.private_key_pem) fn.close() if isinstance(conn, (TPPConnection or TPPTokenConnection)): revocation_req = RevocationRequest(req_id=request.id, comments="Just for test") print("Revoke", conn.revoke_cert(revocation_req)) print("Trying to sign CSR") csr_pem = open("example-csr.pem", "rb").read() csr_request = CertificateRequest(csr=csr_pem.decode()) # zone_config = conn.read_zone_conf(zone) # request.update_from_zone_config(zone_config) conn.request_cert(csr_request, zone) # and wait for signing while True: cert = conn.retrieve_cert(csr_request) if cert: break else: time.sleep(5) # after that print cert and key print(cert.full_chain) # and save into file f = open("/tmp/signed-cert.pem", "w") f.write(cert.full_chain) f.close()