def main(): # Get credentials from environment variables url = environ.get( 'VAAS_URL' ) # Optional, only use when connecting to a specific VaaS server api_key = environ.get('VAAS_APIKEY') zone = environ.get('VAAS_ZONE') # Connection will be chosen automatically based on which arguments are passed. # If api_key is passed, Venafi Cloud connection will be used. # url attribute is no required when connecting to production VaaS platform conn = venafi_connection(url=url, api_key=api_key) # Build a Certificate request request = CertificateRequest( common_name=f"{random_word(10)}.venafi.example.com") # Set the request to use a service generated CSR request.csr_origin = CSR_ORIGIN_SERVICE # A password should be defined for the private key to be generated. request.key_password = '******' # Include some Subject Alternative Names request.san_dns = [ "www.dns.venafi.example.com", "ww1.dns.venafi.example.com" ] # Additional CSR attributes can be included: request.organization = "Venafi, Inc." request.organizational_unit = ["Product Management"] request.locality = "Salt Lake City" request.province = "Utah" # This is the same as state request.country = "US" # Specify ordering certificates in chain. Root can be CHAIN_OPTION_FIRST ("first") # or CHAIN_OPTION_LAST ("last"). By default it is CHAIN_OPTION_LAST. # request.chain_option = CHAIN_OPTION_FIRST # # To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs # request.custom_fields = [ # CustomField(name="Cost Center", value="ABC123"), # CustomField(name="Environment", value="Production"), # CustomField(name="Environment", value="Staging") # ] # # Request the certificate. conn.request_cert(request, zone) # Wait for the certificate to be retrieved. # This operation may take some time to return, as it waits until the certificate is ISSUED or it timeout. # Timeout is 180s by default. Can be changed using: # request.timeout = 300 cert = conn.retrieve_cert(request) # Print the certificate print(cert.full_chain) # Save it into a file f = open("./cert.pem", "w") f.write(cert.full_chain) f.close()
def main(): # Get credentials from environment variables url = environ.get('TPP_TOKEN_URL') user = environ.get('TPP_USER') password = environ.get('TPP_PASSWORD') zone = environ.get('TPP_ZONE') server_trust_bundle = environ.get('TPP_TRUST_BUNDLE') # Connection will be chosen automatically based on which arguments are passed. # If token is passed Venafi Cloud connection will be used. # If user, password, and URL Venafi Platform (TPP) will be used. # If your TPP server certificate signed with your own CA, or available only via proxy, you can specify # a trust bundle using http_request_kwargs. conn = venafi_connection( url=url, user=user, password=password, http_request_kwargs={'verify': server_trust_bundle}) # Build a Certificate request request = CertificateRequest( common_name=f"{random_word(10)}.venafi.example.com") # Set the request to use a service generated CSR request.csr_origin = CSR_ORIGIN_SERVICE # Include some Subject Alternative Names request.san_dns = [ "www.dns.venafi.example.com", "ww1.dns.venafi.example.com" ] request.email_addresses = [ "*****@*****.**", "*****@*****.**" ] request.ip_addresses = ["127.0.0.1", "192.168.1.1"] request.uniform_resource_identifiers = [ "http://wgtest.uri.com", "https://ragnartest.uri.com" ] request.user_principal_names = [ "*****@*****.**", "*****@*****.**" ] # Specify whether or not to return the private key. It is False by default. # A password should be defined for the private key if include_private_key is True. request.include_private_key = True request.key_password = '******' # Specify ordering certificates in chain. Root can be CHAIN_OPTION_FIRST ("first") # or CHAIN_OPTION_LAST ("last"). By default it is CHAIN_OPTION_LAST. # You can also specify CHAIN_OPTION_IGNORE ("ignore") to ignore chain (supported only for TPP). # request.chain_option = CHAIN_OPTION_FIRST # To set Custom Fields for the certificate, specify an array of CustomField objects as name-value pairs # request.custom_fields = [ # CustomField(name="Cost Center", value="ABC123"), # CustomField(name="Environment", value="Production"), # CustomField(name="Environment", value="Staging") # ] # # Update certificate request from zone. zone_config = conn.read_zone_conf(zone) request.update_from_zone_config(zone_config) # Request the certificate. conn.request_cert(request, zone) # Wait for the certificate to be retrieved. # This operation may take some time to return, as it waits until the certificate is ISSUED or it timeout. # Timeout is 180s by default. Can be changed using: # request.timeout = 300 cert = conn.retrieve_cert(request) # Print the certificate print(cert.full_chain) # Save it into a file f = open("./cert.pem", "w") f.write(cert.full_chain) f.close() print("Trying to renew certificate") new_request = CertificateRequest(cert_id=request.id) # The renewal request should use a service generated CSR as well # This may not be necessary and depends entirely on the settings of your Policy/Zone new_request.csr_origin = CSR_ORIGIN_SERVICE conn.renew_cert(new_request) new_cert = conn.retrieve_cert(new_request) print(new_cert.cert) fn = open("./new_cert.pem", "w") fn.write(new_cert.cert) fn.close()
def enroll(self): LOG.info("Running enroll") common_name = self.properties[self.CN] sans = self.properties[self.SANs] privatekey_passphrase = self.properties[self.KEY_PASSWORD] privatekey_type = self.properties[self.KEY_TYPE] curve = self.properties[self.KEY_CURVE] key_size = self.properties[self.KEY_LENGTH] zone = self.properties[self.ZONE] LOG.info("Reading zone config from %s", zone) zone_config = self.conn.read_zone_conf(zone) request = CertificateRequest( common_name=common_name, origin="OpenStack" ) request.update_from_zone_config(zone_config) ip_addresses = [] email_addresses = [] san_dns = [] if len(sans) > 0: LOG.info("Configuring SANs from list %s", sans) for n in sans: if n.lower().startswith(("ip:", "ip address:")): ip = n.split(":", 1)[1] LOG.info("Adding ip %s to ip_addresses", ip) ip_addresses.append(ip) elif n.lower().startswith("dns:"): ns = n.split(":", 1)[1] LOG.info("Adding domain name %s to san_dns", ns) san_dns.append(ns) elif n.lower().startswith("email:"): mail = n.split(":", 1)[1] LOG.info("Adding mail %s to email_addresses", mail) email_addresses.append(mail) else: raise Exception("Failed to determine extension type: %s" % n) request.ip_addresses = ip_addresses request.san_dns = san_dns request.email_addresses = email_addresses LOG.info("Request is %s, %s, %s", request.ip_addresses, request.san_dns, request.email_addresses) if privatekey_passphrase is not None: request.key_password = privatekey_passphrase if privatekey_type: request.key_type = KeyType(privatekey_type, key_size or curve) self.conn.request_cert(request, zone) t = time.time() while True: LOG.info("Trying to retrieve certificate") cert = self.conn.retrieve_cert(request) # type: vcert.Certificate if cert or time.time() > t + 600: break else: time.sleep(5) LOG.info("Got certificate: %s", cert.cert) LOG.info("Got chain: %s", cert.chain) return {self.CHAIN_ATTR: cert.chain, self.CERTIFICATE_ATTR: cert.cert, self.PRIVATE_KEY_ATTR: request.private_key_pem, self.CSR_ATTR: request.csr}