TLS Certificates Interface

  • Canonical Telco
Channel Revision Published Runs on
latest/edge 129 18 Oct 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 19 10 Feb 2023
Ubuntu 22.04 Ubuntu 20.04
juju deploy tls-certificates-interface --channel edge
Show information

Platform:

charms.tls_certificates_interface.v4.tls_certificates

Charm library for managing TLS certificates (V4).

This library contains the Requires and Provides classes for handling the tls-certificates interface.

Pre-requisites:

  • Juju >= 3.0
  • cryptography >= 43.0.0
  • pydantic

Learn more on how-to use the TLS Certificates interface library by reading the documentation:

  • https://charmhub.io/tls-certificates-interface/

Index

class TLSCertificatesError

Description

Base class for custom errors raised by this library. None

class DataValidationError

Description

Raised when data validation fails. None

class Mode

Enum representing the mode of the certificate request.

Description

UNIT (default): Request a certificate for the unit. Each unit will have its own private key and certificate. APP: Request a certificate for the application. The private key and certificate will be shared by all units.

class PrivateKey

Description

This class represents a private key. None

Methods

PrivateKey. __str__( self )

Description

Return the private key as a string. None

PrivateKey. from_string( cls , private_key: str )

Description

Create a PrivateKey object from a private key. None

class Certificate

Description

This class represents a certificate. None

Methods

Certificate. __str__( self )

Description

Return the certificate as a string. None

Certificate. from_string( cls , certificate: str )

Description

Create a Certificate object from a certificate. None

class CertificateSigningRequest

Description

This class represents a certificate signing request. None

Methods

CertificateSigningRequest. __eq__( self , other: object )

Description

Check if two CertificateSigningRequest objects are equal. None

CertificateSigningRequest. __str__( self )

Description

Return the CSR as a string. None

CertificateSigningRequest. from_string( cls , csr: str )

Description

Create a CertificateSigningRequest object from a CSR. None

CertificateSigningRequest. matches_private_key( self , key: PrivateKey )

Check if a CSR matches a private key.

Arguments

key (PrivateKey)

Private key

Returns

bool

True/False depending on whether the CSR matches the private key.

Description

This function only works with RSA keys.

CertificateSigningRequest. matches_certificate( self , certificate: Certificate )

Check if a CSR matches a certificate.

Arguments

certificate (Certificate)

Certificate

Returns

bool

True/False depending on whether the CSR matches the certificate.

CertificateSigningRequest. get_sha256_hex( self )

Description

Calculate the hash of the provided data and return the hexadecimal representation. None

class CertificateRequestAttributes

A representation of the certificate request attributes.

Description

This class should be used inside the requirer charm to specify the requested attributes for the certificate.

Methods

CertificateRequestAttributes. is_valid( self )

Description

Check whether the certificate request is valid. None

CertificateRequestAttributes. generate_csr( self , private_key: PrivateKey )

Generate a CSR using private key and subject.

Arguments

private_key (PrivateKey)

Private key

Returns

CertificateSigningRequest

CSR

CertificateRequestAttributes. from_csr( cls , csr: CertificateSigningRequest , is_ca: bool )

Description

Create a CertificateRequestAttributes object from a CSR. None

class ProviderCertificate

Description

This class represents a certificate provided by the TLS provider. None

Methods

ProviderCertificate. to_json( self )

Return the object as a JSON string.

Returns

str

JSON representation of the object

class RequirerCertificateRequest

Description

This class represents a certificate signing request requested by a specific TLS requirer. None

class CertificateAvailableEvent

Description

Charm Event triggered when a TLS certificate is available. None

Methods

CertificateAvailableEvent. __init__( self , handle: Handle , certificate: Certificate , certificate_signing_request: CertificateSigningRequest , ca: Certificate , chain )

CertificateAvailableEvent. snapshot( self )

Description

Return snapshot. None

CertificateAvailableEvent. restore( self , snapshot: dict )

Description

Restore snapshot. None

CertificateAvailableEvent. chain_as_pem( self )

Description

Return full certificate chain as a PEM string. None

def generate_private_key(
    key_size: int,
    public_exponent: int
)

Generate a private key with the RSA algorithm.

Arguments

key_size (int)

Key size in bytes

public_exponent

Public exponent.

Returns

Private Key

def generate_csr(
    private_key: PrivateKey,
    common_name: str,
    sans_dns,
    sans_ip,
    sans_oid,
    organization,
    organizational_unit,
    email_address,
    country_name,
    locality_name,
    state_or_province_name,
    add_unique_id_to_subject_name: bool
)

Generate a CSR using private key and subject.

Arguments

private_key (PrivateKey)

Private key

common_name (str)

Common name

sans_dns (FrozenSet[str])

DNS Subject Alternative Names

sans_ip (FrozenSet[str])

IP Subject Alternative Names

sans_oid (FrozenSet[str])

OID Subject Alternative Names

organization (Optional[str])

Organization name

organizational_unit (Optional[str])

Organizational unit name

email_address (Optional[str])

Email address

country_name (Optional[str])

Country name

state_or_province_name (Optional[str])

State or province name

locality_name (Optional[str])

Locality name

add_unique_id_to_subject_name (bool)

Whether a unique ID must be added to the CSR's subject name. Always leave to "True" when the CSR is used to request certificates using the tls-certificates relation.

Returns

CSR

def generate_ca(
    private_key: PrivateKey,
    validity: timedelta,
    common_name: str,
    sans_dns,
    sans_ip,
    sans_oid,
    organization,
    organizational_unit,
    email_address,
    country_name,
    state_or_province_name,
    locality_name
)

Generate a self signed CA Certificate.

Arguments

private_key (PrivateKey)

Private key

validity (timedelta)

Certificate validity time

common_name (str)

Common Name that can be an IP or a Full Qualified Domain Name (FQDN).

sans_dns (FrozenSet[str])

DNS Subject Alternative Names

sans_ip (FrozenSet[str])

IP Subject Alternative Names

sans_oid (FrozenSet[str])

OID Subject Alternative Names

organization (Optional[str])

Organization name

organizational_unit (Optional[str])

Organizational unit name

email_address (Optional[str])

Email address

country_name (str)

Certificate Issuing country

state_or_province_name (str)

Certificate Issuing state or province

locality_name (str)

Certificate Issuing locality

Returns

CA Certificate.

def generate_certificate(
    csr: CertificateSigningRequest,
    ca: Certificate,
    ca_private_key: PrivateKey,
    validity: timedelta,
    is_ca: bool
)

Generate a TLS certificate based on a CSR.

Arguments

csr (CertificateSigningRequest)

CSR

ca (Certificate)

CA Certificate

ca_private_key (PrivateKey)

CA private key

validity (timedelta)

Certificate validity time

is_ca (bool)

Whether the certificate is a CA certificate

Returns

Certificate

class CertificatesRequirerCharmEvents

Description

List of events that the TLS Certificates requirer charm can leverage. None

class TLSCertificatesRequiresV4

Description

A class to manage the TLS certificates interface for a unit or app. None

Methods

TLSCertificatesRequiresV4. __init__( self , charm: CharmBase , relationship_name: str , certificate_requests , mode: Mode , refresh_events )

Create a new instance of the TLSCertificatesRequiresV4 class.

Arguments

charm (CharmBase)

The charm instance to relate to.

relationship_name (str)

The name of the relation that provides the certificates.

certificate_requests (List[CertificateRequestAttributes])

A list with the attributes of the certificate requests.

mode (Mode)

Whether to use unit or app certificates mode. Default is Mode.UNIT.

refresh_events (List[BoundEvent])

A list of events to trigger a refresh of the certificates.

TLSCertificatesRequiresV4. renew_certificate( self , certificate: ProviderCertificate )

Description

Request the renewal of the provided certificate. None

TLSCertificatesRequiresV4. private_key( self )

Description

Return the private key. None

TLSCertificatesRequiresV4. regenerate_private_key( self )

Regenerate the private key.

Description

Generate a new private key, remove old certificate requests and send new ones.

TLSCertificatesRequiresV4. get_csrs_from_requirer_relation_data( self )

Description

Return list of requirer's CSRs from relation data. None

TLSCertificatesRequiresV4. get_provider_certificates( self )

Description

Return list of certificates from the provider's relation data. None

TLSCertificatesRequiresV4. get_assigned_certificate( self , certificate_request: CertificateRequestAttributes )

Description

Get the certificate that was assigned to the given certificate request. None

TLSCertificatesRequiresV4. get_assigned_certificates( self )

Description

Get a list of certificates that were assigned to this or app. None

class TLSCertificatesProvidesV4

Description

TLS certificates provider class to be instantiated by TLS certificates providers. None

Methods

TLSCertificatesProvidesV4. __init__( self , charm: CharmBase , relationship_name: str )

TLSCertificatesProvidesV4. get_certificate_requests( self , relation_id )

Description

Load certificate requests from the relation data. None

TLSCertificatesProvidesV4. revoke_all_certificates( self )

Revoke all certificates of this provider.

Description

This method is meant to be used when the Root CA has changed.

TLSCertificatesProvidesV4. set_relation_certificate( self , provider_certificate: ProviderCertificate )

Add certificates to relation data.

Arguments

provider_certificate (ProviderCertificate)

ProviderCertificate object

Returns

None

TLSCertificatesProvidesV4. get_issued_certificates( self , relation_id )

Return a List of issued (non revoked) certificates.

Returns

List

List of ProviderCertificate objects

TLSCertificatesProvidesV4. get_provider_certificates( self , relation_id )

Description

Return a List of issued certificates. None

TLSCertificatesProvidesV4. get_unsolicited_certificates( self , relation_id )

Return provider certificates for which no certificate requests exists.

Description

Those certificates should be revoked.

TLSCertificatesProvidesV4. get_outstanding_certificate_requests( self , relation_id )

Return CSR's for which no certificate has been issued.

Arguments

relation_id (int)

Relation id

Returns

list

List of RequirerCertificateRequest objects.