certsrv¶

A Python client for the Microsoft AD Certificate Services web page.

exception certsrv.CertificatePendingException(req_id)[source]¶

Bases: exceptions.Exception

Signifies that the request needs to be approved by a CA admin.

class certsrv.Certsrv(server, username, password, auth_method='basic', cafile=None, timeout=30)[source]¶

Bases: object

Represents a Microsoft AD Certificate Services web server.

Parameters:

server – The FQDN to a server running the Certification Authority Web Enrollment role (must be listening on https).
username – The username for authentication.
password – The password for authentication.
auth_method – The chosen authentication method. Either ‘basic’ (the default), ‘ntlm’ or ‘cert’ (SSL client certificate).
cafile – A PEM file containing the CA certificates that should be trusted.
timeout – The timeout to use against the CA server, in seconds. The default is 30.

Note

If you use a client certificate for authentication (auth_method=cert), the username parameter should be the path to a certificate, and the password parameter the path to a (unencrypted) private key.

check_credentials()[source]¶

Checks the specified credentials against the ADCS server.

Returns:	True if authentication succeeded, False if it failed.

get_ca_cert(encoding='b64')[source]¶

Gets the (newest) CA certificate from the ADCS server.

Parameters:	encoding – The desired encoding for the returned certificate. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM).
Returns:	The newest CA certificate from the server.

get_cert(csr, template, encoding='b64', attributes=None)[source]¶

Gets a certificate from the ADCS server.

Parameters:	csr – The certificate request to submit. template – The certificate template the cert should be issued from. encoding – The desired encoding for the returned certificate. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM). attributes – Additional Attributes (request attibutes) to be sent along with the request.
Returns:	The issued certificate.
Raises:	RequestDeniedException – If the request was denied by the ADCS server. CertificatePendingException – If the request needs to be approved by a CA admin. CouldNotRetrieveCertificateException – If something went wrong while fetching the cert.

get_chain(encoding='bin')[source]¶

Gets the CA chain from the ADCS server.

Parameters:	encoding – The desired encoding for the returned certificates. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM).
Returns:	The CA chain from the server, in PKCS#7 format.

get_existing_cert(req_id, encoding='b64')[source]¶

Gets a certificate that has already been created from the ADCS server.

Parameters:	req_id – The request ID to retrieve. encoding – The desired encoding for the returned certificate. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM).
Returns:	The issued certificate.
Raises:	CouldNotRetrieveCertificateException – If something went wrong while fetching the cert.

update_credentials(username, password)[source]¶

Updates the credentials used against the ADCS server.

Parameters:	username – The username for authentication. password – The password for authentication.

exception certsrv.CouldNotRetrieveCertificateException(message, response)[source]¶

Bases: exceptions.Exception

Signifies that the certificate could not be retrieved.

exception certsrv.RequestDeniedException(message, response)[source]¶

Bases: exceptions.Exception

Signifies that the request was denied by the ADCS server.

certsrv.check_credentials(server, username, password, **kwargs)[source]¶

Checks the specified credentials against the specified ADCS server.

Parameters:

ca – The FQDN to a server running the Certification Authority Web Enrollment role (must be listening on https).
username – The username for authentication.
pasword – The password for authentication.
auth_method – The chosen authentication method. Either ‘basic’ (the default), ‘ntlm’ or ‘cert’ (ssl client certificate).
cafile – A PEM file containing the CA certificates that should be trusted.

Returns:

True if authentication succeeded, False if it failed.

Note

This method is deprecated.

certsrv.get_ca_cert(server, username, password, encoding='b64', **kwargs)[source]¶

Gets the (newest) CA certificate from a Microsoft AD Certificate Services web page.

Parameters:

server – The FQDN to a server running the Certification Authority Web Enrollment role (must be listening on https).
username – The username for authentication.
pasword – The password for authentication.
encoding – The desired encoding for the returned certificate. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM).
auth_method – The chosen authentication method. Either ‘basic’ (the default), ‘ntlm’ or ‘cert’ (ssl client certificate).
cafile – A PEM file containing the CA certificates that should be trusted.

Returns:

The newest CA certificate from the server.

Note

This method is deprecated.

certsrv.get_cert(server, csr, template, username, password, encoding='b64', **kwargs)[source]¶

Gets a certificate from a Microsoft AD Certificate Services web page.

Parameters:	server – The FQDN to a server running the Certification Authority Web Enrollment role (must be listening on https). csr – The certificate request to submit. template – The certificate template the cert should be issued from. username – The username for authentication. pasword – The password for authentication. encoding – The desired encoding for the returned certificate. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM). auth_method – The chosen authentication method. Either ‘basic’ (the default), ‘ntlm’ or ‘cert’ (ssl client certificate). cafile – A PEM file containing the CA certificates that should be trusted.
Returns:	The issued certificate.
Raises:	RequestDeniedException – If the request was denied by the ADCS server. CertificatePendingException – If the request needs to be approved by a CA admin. CouldNotRetrieveCertificateException – If something went wrong while fetching the cert.

Note

This method is deprecated.

certsrv.get_chain(server, username, password, encoding='bin', **kwargs)[source]¶

Gets the chain from a Microsoft AD Certificate Services web page.

Parameters:

server – The FQDN to a server running the Certification Authority Web Enrollment role (must be listening on https).
username – The username for authentication.
pasword – The password for authentication.
encoding – The desired encoding for the returned certificates. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM).
auth_method – The chosen authentication method. Either ‘basic’ (the default), ‘ntlm’ or ‘cert’ (ssl client certificate).
cafile – A PEM file containing the CA certificates that should be trusted.

Returns:

The CA chain from the server, in PKCS#7 format.

Note

This method is deprecated.

certsrv.get_existing_cert(server, req_id, username, password, encoding='b64', **kwargs)[source]¶

Gets a certificate that has already been created from a Microsoft AD Certificate Services web page.

Parameters:	server – The FQDN to a server running the Certification Authority Web Enrollment role (must be listening on https). req_id – The request ID to retrieve. username – The username for authentication. pasword – The password for authentication. encoding – The desired encoding for the returned certificate. Possible values are ‘bin’ for binary and ‘b64’ for Base64 (PEM). auth_method – The chosen authentication method. Either ‘basic’ (the default), ‘ntlm’ or ‘cert’ (ssl client certificate). cafile – A PEM file containing the CA certificates that should be trusted.
Returns:	The issued certificate.
Raises:	CouldNotRetrieveCertificateException – If something went wrong while fetching the cert.

Note

This method is deprecated.