.. module:: trustme
Here's a fully working example you can run to see how :mod:`trustme` works. It demonstrates a simple TLS server and client that connect to each other using :mod:`trustme`-generated certs.
This example requires Trio (pip
install -U trio) and Python 3.8+. Note that while :mod:`trustme` is
maintained by the Trio project, :mod:`trustme` is happy to work with
any networking library.
The key lines are the calls to :meth:`~CA.configure_trust`,
:meth:`~LeafCert.configure_cert` – try commenting them out one at a
time to see what happens! Also notice that the hostname
test-host.example.org appears twice – try changing one of the
strings so that the two copies no longer match, and see what happens
then!
.. literalinclude:: trustme-trio-example.py
All options:
$ python -m trustme --help
usage: trustme [-h] [-d DIR] [-i [IDENTITIES [IDENTITIES ...]]]
[--common-name COMMON_NAME] [-q]
optional arguments:
-h, --help Show this help message and exit.
-d DIR, --dir DIR Directory where certificates and keys are written to.
Defaults to cwd.
-i [IDENTITIES [IDENTITIES ...]], --identities [IDENTITIES [IDENTITIES ...]]
Identities for the certificate. Defaults to 'localhost
127.0.0.1 ::1'.
--common-name COMMON_NAME
Also sets the deprecated 'commonName' field.
-q, --quiet Doesn't print out helpful information for humans.Default configuration:
$ cd /tmp/
$ python -m trustme
Generated a certificate for 'localhost', '127.0.0.1', '::1'
Configure your server to use the following files:
cert=/tmp/server.pem
key=/tmp/server.key
Configure your client to use the following files:
cert=/tmp/client.pemDesignate different identities:
$ python -m trustme -i www.example.org example.org
Generated a certificate for 'www.example.org', 'example.org'
Configure your server to use the following files:
cert=/tmp/server.pem
key=/tmp/server.key
Configure your client to use the following files:
cert=/tmp/client.pemGenerate files into a directory:
$ mkdir /tmp/a
$ python -m trustme -d /tmp/a
Generated a certificate for 'localhost', '127.0.0.1', '::1'
Configure your server to use the following files:
cert=/tmp/a/server.pem
key=/tmp/a/server.key
Configure your client to use the following files:
cert=/tmp/a/client.pemConfigure certs for server/client:
$ gunicorn --keyfile /tmp/a/server.key --certfile /tmp/a/server.pem app:app
$ curl --cacert /tmp/a/client.pem https://localhost:8000
Hello, world!.. autoclass:: CA :members: :exclude-members: issue_server_cert
.. autoclass:: LeafCert() :members:
.. autoclass:: Blob()
.. automethod:: bytes
.. automethod:: tempfile
:with: path
.. automethod:: write_to_path
.. autoclass:: KeyType :members: RSA, ECDSA :undoc-members:
- Add the Authority Key Identifier extension to child CA certificates. (#642)
- Remove support for Python 3.8 and PyPy 3.9. (#664)
- Allow os.PathLike in typing of Blob.write_to_path. (#606)
- Add support for PyPy 3.10 and Python 3.12. (#609)
- Remove support for Python 3.7. (#609)
- Support for ECDSA keys in certificates and use them by default. The type of key used for certificates can be controlled by the
key_typeparameter on the multiple methods that generate certificates. ECDSA certificates as they can be generated significantly faster. (#559) - Support for Python 3.10 and 3.11 (#372, 574)
- Remove support for Python 2. trustme now requires Python>=3.7 (CPython or PyPy). (#346)
- The package is now type annotated. If you use mypy on code which uses
trustme, you should be able to remove any exclusions. (#339)
- It's now possible to set an expiry date on server certificates, either with
--expires-onin the CLI or withnot_afterin trustme.CA.issue_cert. (#293) - Support Python 3.10 (#327)
- Set correct KeyUsage and ExtendedKeyUsage extensions, per CA/B Forum baseline requirements. (#328)
- trustme can now be used a command line interface with
python -m trustme. Get the help withpython -m trustme --help. (#265)
- Allow specifying organization and organization unit in CA and issued certs. (#126)
- Added :attr:`CA.from_pem` to import an existing certificate authority; this allows migrating to trustme step-by-step. (#107)
- Update to avoid a deprecation warning on cryptography 2.7. (#47)
- Update key size to 2048 bits, as required by recent Debian. (#45)
- Added :meth:`CA.create_child_ca` to allow for certificate chains (#3)
- Added :attr:`CA.private_key_pem` to export CA private keys; this allows signing other certs with the same CA outside of trustme. (#27)
- CAs now include the KeyUsage and ExtendedKeyUsage extensions configured for SSL certificates. (#30)
- CA.issue_cert now accepts email addresses as a valid form of identity. (#33)
- It's now possible to set the "common name" of generated certs; see CA.issue_cert for details. (#34)
CA.issue_server_certhas been renamed to CA.issue_cert, since it supports both server and client certs. To preserve backwards compatibility, the old name is retained as an undocumented alias. (#35)
- Make sure cert expiration dates don't exceed 2038-01-01, to avoid issues on some 32-bit platforms that suffer from the Y2038 problem. (#41)
- :meth:`CA.issue_cert` now accepts IP addresses and IP networks. (#19)
- Start doing our own handling of Unicode hostname (IDNs), instead of relying on cryptography to do it; this allows us to correctly handle a broader range of cases, and avoids relying on soon-to-be-deprecated behavior (#17)
- Generated certs no longer contain a subject:commonName field, to better match CABF guidelines (#18)
- Don't crash on Windows (#10)
- Broke and re-did almost the entire public API. Sorry! Let's just pretend v0.1.0 never happened.
- Hey there are docs now though, that should be worth something right?
- Initial release
This is basically just a trivial wrapper around the awesome Python cryptography library. Also, Glyph originally wrote most of the tricky bits. I got tired of never being able to remember how this works or find the magic snippets to copy/paste, so I stole the code out of Twisted and wrapped it in a bow.