### Manage Certificate Policies (Get and Set) (Python) Source: https://context7.com/venafi/vcert-python/llms.txt This snippet shows how to manage certificate issuance policies using `set_policy` and `get_policy`. It defines a `PolicySpecification` including subject details, key pair settings, allowed subject alternative names, domains, and certificate authority. For TPP, it demonstrates acquiring an access token with the necessary scope. ```python from vcert import venafi_connection, Authentication, SCOPE_PM from vcert.policy import ( PolicySpecification, Policy, Subject, KeyPair, SubjectAltNames, Defaults, DefaultSubject, DefaultKeyPair ) conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) # For TPP, acquire token with policy management scope auth = Authentication(user="admin", password="secret", scope=SCOPE_PM) conn.get_access_token(auth) # Define policy specification policy_spec = PolicySpecification( policy=Policy( subject=Subject( orgs=["Example Corp"], org_units=["IT", "Engineering"], localities=["San Francisco"], states=["California"], countries=["US"] ), key_pair=KeyPair( key_types=["RSA", "EC"], rsa_key_sizes=[2048, 4096], elliptic_curves=["P256", "P384"], reuse_allowed=False ), subject_alt_names=SubjectAltNames( dns_allowed=True, ip_allowed=True, email_allowed=False, uri_allowed=True, upn_allowed=False ), domains=["example.com", "example.net"], wildcard_allowed=True, cert_auth="DigiCert" # Required for SaaS ), defaults=Defaults( d_subject=DefaultSubject( org="Example Corp", locality="San Francisco", state="California", country="US" ), d_key_pair=DefaultKeyPair( key_type="RSA", rsa_key_size=2048 ) ) ) # Create or update policy zone = "\\VED\\Policy\\Certificates\\MyApp" conn.set_policy(zone, policy_spec) ``` -------------------------------- ### Token Management (TPP) Source: https://context7.com/venafi/vcert-python/llms.txt Manages access tokens for CyberArk Certificate Manager (Self-Hosted) by explicitly getting, refreshing, and revoking tokens. This requires providing connection details, authentication credentials, and a specific scope for the token. ```python from vcert import venafi_connection, Authentication, SCOPE_CM conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) # Get initial access token with specific scope auth = Authentication( user="admin", password="secret", scope=SCOPE_CM, # certificate:manage,revoke client_id="my-app-client-id" ) token_info = conn.get_access_token(auth) print(f"Access Token: {token_info.access_token}") print(f"Refresh Token: {token_info.refresh_token}") print(f"Expires: {token_info.expires}") # Later, refresh the token before expiration refreshed = conn.refresh_access_token() print(f"New Access Token: {refreshed.access_token}") # When done, revoke the token status, response = conn.revoke_access_token() print(f"Token revoked: {status == 200}") ``` -------------------------------- ### Retrieve SSH CA Configuration Source: https://context7.com/venafi/vcert-python/llms.txt Fetches the SSH Certificate Authority (CA) public key and default principals for SSH certificate validation. This involves establishing a connection, acquiring an access token with the SSH scope, and then requesting the configuration using a specified CA template or GUID. ```python from vcert import venafi_connection, Authentication, SCOPE_SSH from vcert.ssh_utils import SSHCATemplateRequest conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) auth = Authentication(user="admin", password="secret", scope=SCOPE_SSH) conn.get_access_token(auth) # Request CA configuration by template name ca_request = SSHCATemplateRequest(ca_template="MyCA") # Or by GUID: ca_request = SSHCATemplateRequest(ca_guid="abc123-...") config = conn.retrieve_ssh_config(ca_request) # CA public key for known_hosts or authorized_keys print(f"CA Public Key: {config.ca_public_key}") # Default principals configured on the CA print(f"Default Principals: {config.ca_principals}") # Add to known_hosts for host verification with open("/etc/ssh/ssh_known_hosts", "a") as f: f.write(f"@cert-authority *.example.com {config.ca_public_key}\n") ``` -------------------------------- ### Request and Retrieve Certificate with Subject Details (Python) Source: https://context7.com/venafi/vcert-python/llms.txt This snippet demonstrates how to configure a certificate request with specific subject details such as SAN DNS names, organization, organizational unit, locality, province, and country. It then shows how to request and retrieve the certificate, including the service-generated private key. ```python from vcert import venafi_connection, CertificateRequest conn = venafi_connection(api_key="your-api-key") request = CertificateRequest() # Optional: Add subject details request.san_dns = ["www.example.com"] request.organization = "Example Corp" request.organizational_unit = ["Engineering"] request.locality = "Austin" request.province = "Texas" request.country = "US" # Request and retrieve zone = "your-zone" conn.request_cert(request, zone) cert = conn.retrieve_cert(request) # The private key is returned with the certificate print(cert.cert) print(cert.key) # Service-generated private key ``` -------------------------------- ### Requesting and Retrieving a Certificate Source: https://context7.com/venafi/vcert-python/llms.txt This section details how to create a certificate request with optional subject details and then request and retrieve the certificate from the Venafi service. ```APIDOC ## Requesting and Retrieving a Certificate ### Description This endpoint allows you to request a new certificate with specified subject details and then retrieve the issued certificate. ### Method POST (Implicit through `request_cert` and `retrieve_cert` methods) ### Endpoint Not directly exposed as a single HTTP endpoint, but involves interactions with the Venafi API. ### Parameters #### Request Body (Implicit) - **request** (CertificateRequest) - An object containing certificate details such as SANs, organization, locality, etc. - **zone** (string) - The zone within Venafi where the certificate should be issued. ### Request Example ```python from vcert import venafi_connection, CertificateRequest conn = venafi_connection(api_key="your-api-key") request = CertificateRequest() # Optional: Add subject details request.san_dns = ["www.example.com"] request.organization = "Example Corp" request.organizational_unit = ["Engineering"] request.locality = "Austin" request.province = "Texas" request.country = "US" # Request and retrieve conn.request_cert(request, zone) cert = conn.retrieve_cert(request) # The private key is returned with the certificate print(cert.cert) print(cert.key) # Service-generated private key ``` ### Response #### Success Response (200) - **cert** (Certificate) - An object containing the issued certificate and its private key. - **cert** (string) - The certificate in PEM format. - **key** (string) - The private key in PEM format. - **full_chain** (string) - The full certificate chain. #### Response Example ```json { "cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----", "full_chain": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----" } ``` ``` -------------------------------- ### Managing Policies Source: https://context7.com/venafi/vcert-python/llms.txt This section covers the `set_policy` and `get_policy` methods for managing certificate issuance policies, which define allowed subject fields, key types, SANs, and CA settings. ```APIDOC ## Managing Policies ### Description Manages certificate issuance policies using `set_policy` and `get_policy` methods. Policies define allowed subject fields, key types, SANs, and certificate authority settings. ### Method POST (for `set_policy`), GET (for `get_policy` - not shown in example) ### Endpoint Not directly exposed as a single HTTP endpoint, but involves interactions with the Venafi API. ### Parameters #### Request Body (for `set_policy`) - **zone** (string) - The zone within Venafi where the policy should be set. - **policy_spec** (PolicySpecification) - An object defining the policy specification. - **policy** (Policy) - **subject** (Subject) - **orgs** (list of strings) - **org_units** (list of strings) - **localities** (list of strings) - **states** (list of strings) - **countries** (list of strings) - **key_pair** (KeyPair) - **key_types** (list of strings) - **rsa_key_sizes** (list of integers) - **elliptic_curves** (list of strings) - **reuse_allowed** (boolean) - **subject_alt_names** (SubjectAltNames) - **dns_allowed** (boolean) - **ip_allowed** (boolean) - **email_allowed** (boolean) - **uri_allowed** (boolean) - **upn_allowed** (boolean) - **domains** (list of strings) - **wildcard_allowed** (boolean) - **cert_auth** (string, required for SaaS) - **defaults** (Defaults) - **d_subject** (DefaultSubject) - **org** (string) - **locality** (string) - **state** (string) - **country** (string) - **d_key_pair** (DefaultKeyPair) - **key_type** (string) - **rsa_key_size** (integer) ### Request Example ```python from vcert import venafi_connection, Authentication, SCOPE_PM from vcert.policy import ( PolicySpecification, Policy, Subject, KeyPair, SubjectAltNames, Defaults, DefaultSubject, DefaultKeyPair ) conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) # For TPP, acquire token with policy management scope auth = Authentication(user="admin", password="secret", scope=SCOPE_PM) conn.get_access_token(auth) # Define policy specification policy_spec = PolicySpecification( policy=Policy( subject=Subject( orgs=["Example Corp"], org_units=["IT", "Engineering"], localities=["San Francisco"], states=["California"], countries=["US"] ), key_pair=KeyPair( key_types=["RSA", "EC"], rsa_key_sizes=[2048, 4096], elliptic_curves=["P256", "P384"], reuse_allowed=False ), subject_alt_names=SubjectAltNames( dns_allowed=True, ip_allowed=True, email_allowed=False, uri_allowed=True, upn_allowed=False ), domains=["example.com", "example.net"], wildcard_allowed=True, cert_auth="DigiCert" # Required for SaaS ), defaults=Defaults( d_subject=DefaultSubject( org="Example Corp", locality="San Francisco", state="California", country="US" ), d_key_pair=DefaultKeyPair( key_type="RSA", rsa_key_size=2048 ) ) ) # Create or update policy zone = "\\VED\\Policy\\Certificates\\MyApp" conn.set_policy(zone, policy_spec) ``` ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the policy was set successfully. ``` -------------------------------- ### Handle VCert Python SDK Exceptions Source: https://context7.com/venafi/vcert-python/llms.txt Demonstrates how to catch and handle specific VCert Python SDK exceptions for robust certificate management. This includes handling connection errors, authentication issues, bad client data, certificate request failures, and timeouts. It also includes a general catch-all for other VCert-related errors. ```python from vcert import venafi_connection, CertificateRequest from vcert.errors import ( VenafiError, VenafiConnectionError, ClientBadData, AuthenticationError, CertificateRequestError, RetrieveCertificateTimeoutError ) try: conn = venafi_connection(api_key="your-api-key") request = CertificateRequest(common_name="app.example.com") conn.request_cert(request, "Invalid\\Zone") request.timeout = 60 cert = conn.retrieve_cert(request) except VenafiConnectionError as e: print(f"Connection failed: {e}") # Handle network issues, invalid URLs, or server errors except AuthenticationError as e: print(f"Authentication failed: {e}") # Handle expired tokens, invalid credentials except ClientBadData as e: print(f"Invalid request data: {e}") # Handle malformed requests, invalid zones, policy violations except CertificateRequestError as e: print(f"Certificate request failed: {e}") # Handle rejection by CA, policy enforcement failures except RetrieveCertificateTimeoutError as e: print(f"Timeout waiting for certificate: {e}") # Handle slow CA response, increase timeout or retry later except VenafiError as e: print(f"General error: {e}") # Catch-all for other Venafi-related errors ``` -------------------------------- ### Retiring a Certificate Source: https://context7.com/venafi/vcert-python/llms.txt This section explains how to retire a certificate, marking it as no longer in use. This is supported on both TPP and SaaS platforms. ```APIDOC ## Retiring a Certificate ### Description Retires a certificate, marking it as no longer in use. This operation is supported on both TPP and SaaS platforms. ### Method POST (Implicit through `retire_cert` method) ### Endpoint Not directly exposed as a single HTTP endpoint, but involves interactions with the Venafi API. ### Parameters #### Request Body (Implicit) - **retire_request** (RetireRequest) - An object containing details for retiring the certificate, including `req_id` or `thumbprint`, and `description`. - **req_id** (string) - The ID of the certificate request to retire. - **thumbprint** (string) - The thumbprint of the certificate to retire. - **description** (string, optional) - A description for the retirement action. ### Request Example ```python from vcert import venafi_connection from vcert.common import RetireRequest conn = venafi_connection(api_key="your-api-key") # Retire by certificate ID retire_request = RetireRequest( req_id="certificate-id-here", description="Certificate no longer needed" ) success = conn.retire_cert(retire_request) # Or retire by thumbprint retire_by_thumbprint = RetireRequest(thumbprint="ABC123DEF456...") conn.retire_cert(retire_by_thumbprint) ``` ### Response #### Success Response (200) - **success** (boolean) - Indicates whether the retirement operation was successful. ``` -------------------------------- ### Create VCert Connection Source: https://context7.com/venafi/vcert-python/llms.txt Establishes a connection to CyberArk Certificate Manager (SaaS or Self-Hosted) using API keys, user credentials, or access tokens. Supports fake connections for testing purposes. Requires the 'vcert' library. ```python from vcert import venafi_connection, VenafiPlatform # CyberArk Certificate Manager, SaaS connection conn = venafi_connection(api_key="your-api-key-here") # CyberArk Certificate Manager, Self-Hosted connection with token authentication conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret", http_request_kwargs={'verify': '/path/to/ca-bundle.pem'} ) # Or explicitly specify the platform conn = venafi_connection( url="https://tpp.example.com/vedsdk", access_token="your-access-token", platform=VenafiPlatform.TPP ) # Fake connection for testing conn = venafi_connection(fake=True) ``` -------------------------------- ### Retrieve Policy Source: https://context7.com/venafi/vcert-python/llms.txt Retrieves the policy associated with a given zone. It then prints the domains and key types configured within that policy. This function requires an active connection object and a valid zone string. ```python from vcert import venafi_connection conn = venafi_connection(api_key="your-api-key") zone = "My Application\Default" retrieved_policy = conn.get_policy(zone) print(f"Domains: {retrieved_policy.policy.domains}") print(f"Key types: {retrieved_policy.policy.key_pair.key_types}") ``` -------------------------------- ### Service-Generated CSR with VCert Python SDK Source: https://context7.com/venafi/vcert-python/llms.txt Configures the VCert SDK to have the certificate platform generate the private key and CSR. This method requires a key password for secure retrieval of the private key. Requires the 'vcert' library. ```python from vcert import venafi_connection, CertificateRequest, CSR_ORIGIN_SERVICE conn = venafi_connection(api_key="your-api-key") zone = "My Application\Default" # Build request with service-generated CSR request = CertificateRequest(common_name="app.example.com") request.csr_origin = CSR_ORIGIN_SERVICE request.key_password = "Secure.Key.Pass.123!" # Required for service-generated ``` -------------------------------- ### Renewing a Certificate Source: https://context7.com/venafi/vcert-python/llms.txt This section explains how to renew an existing certificate using its request ID or thumbprint. Renewal generates a new certificate with the same subject information. ```APIDOC ## Renewing a Certificate ### Description Renews an existing certificate by its ID or thumbprint. This operation generates a new certificate with the same subject information as the original request. ### Method POST (Implicit through `renew_cert` and `retrieve_cert` methods) ### Endpoint Not directly exposed as a single HTTP endpoint, but involves interactions with the Venafi API. ### Parameters #### Request Body (Implicit) - **new_request** (CertificateRequest) - An object representing the certificate to renew. Can be initialized with `cert_id` or `thumbprint`. - **reuse_key** (boolean, optional) - Whether to reuse the existing private key. Defaults to `False`. ### Request Example ```python from vcert import venafi_connection, CertificateRequest import time conn = venafi_connection(api_key="your-api-key") # Renew by certificate request ID new_request = CertificateRequest(cert_id="original-request-id") conn.renew_cert(new_request, reuse_key=False) # Wait for the renewed certificate timeout = time.time() + 300 while time.time() < timeout: cert = conn.retrieve_cert(new_request) if cert: break time.sleep(5) print(cert.full_chain) print(new_request.private_key_pem) # Alternatively, renew by thumbprint thumbprint_request = CertificateRequest(thumbprint="ABC123DEF456...") conn.renew_cert(thumbprint_request) renewed_cert = conn.retrieve_cert(thumbprint_request) ``` ### Response #### Success Response (200) - **cert** (Certificate) - An object containing the renewed certificate and its private key. - **full_chain** (string) - The full certificate chain of the renewed certificate. - **private_key_pem** (string) - The private key in PEM format (if `reuse_key` was `False` or not specified). #### Response Example ```json { "full_chain": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "private_key_pem": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----" } ``` ``` -------------------------------- ### Retire Certificate by ID or Thumbprint (Python) Source: https://context7.com/venafi/vcert-python/llms.txt This code demonstrates the `retire_cert` method for marking a certificate as no longer in use. It supports retiring certificates by either their ID or thumbprint, and allows for an optional description to be provided. This operation is supported on both SaaS and TPP platforms. ```python from vcert import venafi_connection from vcert.common import RetireRequest conn = venafi_connection(api_key="your-api-key") # Retire by certificate ID retire_request = RetireRequest( req_id="certificate-id-here", description="Certificate no longer needed" ) success = conn.retire_cert(retire_request) # Or retire by thumbprint retire_by_thumbprint = RetireRequest(thumbprint="ABC123DEF456...") conn.retire_cert(retire_by_thumbprint) ``` -------------------------------- ### Retrieve Certificate with VCert Python SDK Source: https://context7.com/venafi/vcert-python/llms.txt Fetches a signed certificate from the VCert platform after a request has been submitted. It returns a Certificate object containing the PEM-formatted certificate, chain, and optionally the private key. The retrieval can block until the certificate is issued or a timeout is reached. Requires the 'vcert' library. ```python from vcert import venafi_connection, CertificateRequest conn = venafi_connection(api_key="your-api-key") zone = "My Application\Default" # Create and submit request request = CertificateRequest(common_name="app.example.com") conn.request_cert(request, zone) # Retrieve certificate (blocks until issued or timeout) # Default timeout is 180 seconds, configurable via request.timeout request.timeout = 300 # 5 minutes cert = conn.retrieve_cert(request) # Access certificate components print(cert.cert) # The end-entity certificate in PEM format print(cert.chain) # List of chain certificates print(cert.full_chain) # Complete chain including end-entity cert print(cert.key) # Private key if service-generated # Save certificate and key to files with open("cert.pem", "w") as f: f.write(cert.full_chain) with open("key.pem", "w") as f: f.write(request.private_key_pem) # Export as PKCS#12 pkcs12_data = cert.as_pkcs12(passphrase="export-password") with open("cert.p12", "wb") as f: f.write(pkcs12_data) ``` -------------------------------- ### SSH Certificate Management Source: https://context7.com/venafi/vcert-python/llms.txt Manages SSH certificates by generating an SSH key pair locally, creating a certificate request, submitting it for signing, and then retrieving and saving the signed certificate and private key. This process requires valid connection details and scope for SSH operations. ```python from vcert import ( venafi_connection, Authentication, SCOPE_SSH, SSHKeyPair, SSHCertRequest, write_ssh_files ) conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) # Acquire token with SSH scope auth = Authentication(user="admin", password="secret", scope=SCOPE_SSH) conn.get_access_token(auth) # Generate SSH key pair ssh_keys = SSHKeyPair() ssh_keys.generate(key_size=4096, passphrase="key-passphrase") # Create SSH certificate request request = SSHCertRequest( cadn="\VED\Certificate Authority\SSH\Templates\MyCA", key_id="user@example.com", validity_period="8h", principals=["ubuntu", "admin"], source_addresses=["10.0.0.0/8"], extensions={"permit-pty": "", "permit-port-forwarding": ""} ) request.set_public_key_data(ssh_keys.public_key()) # Request certificate if conn.request_ssh_cert(request): # Retrieve signed certificate response = conn.retrieve_ssh_cert(request) # Write SSH files write_ssh_files( file_path="/home/user/.ssh", file_name=response.certificate_details.key_id, certificate_data=response.certificate_data, private_key=ssh_keys.private_key(), public_key=ssh_keys.public_key() ) print(f"Certificate fingerprint: {response.certificate_details.cert_fingerprint_sha256}") print(f"Valid from: {response.certificate_details.valid_from}") print(f"Valid to: {response.certificate_details.valid_to}") ``` -------------------------------- ### Using Custom CSR Source: https://context7.com/venafi/vcert-python/llms.txt Submits a pre-generated Certificate Signing Request (CSR) for signing, bypassing the SDK's key generation. This is useful when the private key must be managed separately. The CSR is loaded from a file, and the request includes the CSR data and the common name, which must match the CSR's subject. ```python from vcert import venafi_connection, CertificateRequest conn = venafi_connection(api_key="your-api-key") zone = "My Application\Default" # Load CSR from file with open("my-csr.pem", "r") as f: csr_pem = f.read() # Create request with existing CSR request = CertificateRequest( csr=csr_pem, common_name="app.example.com" # Must match CSR subject ) # Request signing conn.request_cert(request, zone) # Retrieve signed certificate cert = conn.retrieve_cert(request) # Note: Private key is not available since CSR was provided externally print(cert.full_chain) # Save certificate with open("signed-cert.pem", "w") as f: f.write(cert.full_chain) ``` -------------------------------- ### Renew Certificate by ID or Thumbprint (Python) Source: https://context7.com/venafi/vcert-python/llms.txt This code shows how to renew an existing certificate using the `renew_cert` method. It supports renewal by either the certificate request ID or its thumbprint. The renewal process generates a new certificate with the same subject information. It includes a loop to wait for the renewed certificate and prints the full certificate chain and private key. ```python from vcert import venafi_connection, CertificateRequest import time conn = venafi_connection(api_key="your-api-key") # Renew by certificate request ID new_request = CertificateRequest(cert_id="original-request-id") conn.renew_cert(new_request, reuse_key=False) # Wait for the renewed certificate timeout = time.time() + 300 while time.time() < timeout: cert = conn.retrieve_cert(new_request) if cert: break time.sleep(5) print(cert.full_chain) print(new_request.private_key_pem) # Alternatively, renew by thumbprint thumbprint_request = CertificateRequest(thumbprint="ABC123DEF456...") conn.renew_cert(thumbprint_request) renewed_cert = conn.retrieve_cert(thumbprint_request) ``` -------------------------------- ### Revoking a Certificate (TPP Only) Source: https://context7.com/venafi/vcert-python/llms.txt This section describes how to revoke a certificate on CyberArk Certificate Manager (TPP). This operation is not supported on SaaS. ```APIDOC ## Revoking a Certificate (TPP Only) ### Description Revokes a certificate on CyberArk Certificate Manager (TPP). This operation is not supported on SaaS. ### Method POST (Implicit through `revoke_cert` method) ### Endpoint Not directly exposed as a single HTTP endpoint, but involves interactions with the Venafi TPP API. ### Parameters #### Request Body (Implicit) - **revoke_request** (RevocationRequest) - An object containing details for revocation, including `req_id` or `thumbprint`, `reason`, `comments`, and `disable` flag. - **req_id** (string) - The ID of the certificate request to revoke. - **thumbprint** (string) - The thumbprint of the certificate to revoke. - **reason** (RevocationRequest.RevocationReasons enum) - The reason for revocation (e.g., `key_compromise`, `superseded`). - **comments** (string, optional) - Comments explaining the reason for revocation. - **disable** (boolean, optional) - Whether to disable the certificate object in Venafi. Defaults to `False`. ### Request Example ```python from vcert import venafi_connection, RevocationRequest conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) # Revoke by certificate request ID revoke_request = RevocationRequest( req_id="\\VED\\Policy\\Certificates\\app.example.com", reason=RevocationRequest.RevocationReasons.key_compromise, comments="Private key was exposed", disable=True # Disable the certificate object ) success = conn.revoke_cert(revoke_request) print(f"Revocation successful: {success}") # Revoke by thumbprint revoke_by_thumbprint = RevocationRequest( thumbprint="ABC123DEF456...", reason=RevocationRequest.RevocationReasons.superseded, comments="Replaced with new certificate" ) conn.revoke_cert(revoke_by_thumbprint) ``` ### Response #### Success Response (200) - **success** (boolean) - Indicates whether the revocation operation was successful. ``` -------------------------------- ### Request Certificate with VCert Python SDK Source: https://context7.com/venafi/vcert-python/llms.txt Submits a certificate signing request (CSR) to the VCert platform. It involves creating a CertificateRequest object with subject details and SANs, configuring key types, and optionally updating the request with zone-specific configurations before submission. Requires the 'vcert' library. ```python from vcert import venafi_connection, CertificateRequest, KeyType # Establish connection conn = venafi_connection(api_key="your-api-key") # Create certificate request request = CertificateRequest( common_name="app.example.com", san_dns=["www.example.com", "api.example.com"], organization="Example Corp", organizational_unit=["IT", "Security"], locality="San Francisco", province="California", country="US" ) # Configure key type - RSA 2048 or ECDSA with P-256/P-384/P-521 request.key_type = KeyType(KeyType.RSA, 2048) # Or for ECDSA: request.key_type = KeyType(KeyType.ECDSA, "p256") # Read zone configuration and update request with policy defaults zone = "My Application\Default" # SaaS format: "AppName\IssuingTemplateName" zone_config = conn.read_zone_conf(zone) request.update_from_zone_config(zone_config) # Submit request conn.request_cert(request, zone) print(f"Certificate request ID: {request.id}") ``` -------------------------------- ### Revoke Certificate by ID or Thumbprint (Python - TPP Only) Source: https://context7.com/venafi/vcert-python/llms.txt This snippet illustrates how to revoke a certificate using the `revoke_cert` method, which is specific to CyberArk Certificate Manager (TPP). It allows revocation by either the certificate request ID or its thumbprint, specifying a reason and optional comments. The `disable` flag can be used to disable the certificate object. ```python from vcert import venafi_connection, RevocationRequest conn = venafi_connection( url="https://tpp.example.com/vedsdk", user="admin", password="secret" ) # Revoke by certificate request ID revoke_request = RevocationRequest( req_id="\\VED\\Policy\\Certificates\\app.example.com", reason=RevocationRequest.RevocationReasons.key_compromise, comments="Private key was exposed", disable=True # Disable the certificate object ) success = conn.revoke_cert(revoke_request) print(f"Revocation successful: {success}") # Revoke by thumbprint revoke_by_thumbprint = RevocationRequest( thumbprint="ABC123DEF456...", reason=RevocationRequest.RevocationReasons.superseded, comments="Replaced with new certificate" ) conn.revoke_cert(revoke_by_thumbprint) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.