Python client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.


Venafi Apache 2.0 License Community Supported Compatible with TPP 17.3+ & VaaS
This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!

VCert Python

VCert Python is a Python library and SDK designed to simplify key generation and enrollment of machine identities (also known as SSL/TLS certificates and keys) that comply with enterprise security policy by using the Venafi Trust Protection Platform or Venafi as a Service.

This implementation is based on the original Go library,


VCert supports Python 3, and Python 2.7 (when the future module is installed). VCert releases are tested using the latest version of Trust Protection Platform. The latest VCert release should be compatible with Trust Protection Platform 17.3 or higher based on the subset of API methods it consumes.


Get the library using pip:
pip install vcert

You also can install latest version from github:
pip install

If installation fails collecting dependancies, make sure your python setuptools is up to date. Run the following command to upgrade to the latest version of setuptools. pip install setuptools -U

Usage example

For code samples of programmatic use, please review the files in /examples.

  • For Trust Protection Platform, the zone format is the DN of a policy with or without the "\VED\Policy" prefix (e.g. "\VED\Policy\Certificates\VCert" or simply "Certificates\VCert")
  • For Venafi as a Service, the zone format is the name of an OutagePREDICT Application and the API Alias of an Issuing Template assigned to it delimited by a single backslash character (e.g. "My Application\My CIT")

Prerequisites for using with Trust Protection Platform

  1. A user account that has an authentication token with "certificate:manage,revoke" scope (i.e. access to the "Venafi VCert SDK" API Application as of 20.1) or has been granted WebSDK Access
  2. A folder (zone) where the user has been granted the following permissions: View, Read, Write, Create, Revoke (for the revoke action), and Private Key Read (for the pickup action when CSR is service generated)
  3. Policy applied to the folder which specifies:
    1. CA Template that Trust Protection Platform will use to enroll certificate requests submitted by VCert
    2. Subject DN values for Organizational Unit (OU), Organization (O), City (L), State (ST) and Country (C)
    3. Management Type not locked or locked to 'Enrollment'
    4. Certificate Signing Request (CSR) Generation not locked or locked to 'Service Generated CSR'
    5. Generate Key/CSR on Application not locked or locked to 'No'
    6. (Recommended) Disable Automatic Renewal set to 'Yes'
    7. (Recommended) Key Bit Strength set to 2048 or higher
    8. (Recommended) Domain Whitelisting policy appropriately assigned

The requirement for the CA Template to be assigned by policy follows a long standing Venafi best practice which also met our design objective to keep the certificate request process simple for VCert users. If you require the ability to specify the CA Template with the request you can use the TPP REST APIs but please be advised this goes against Venafi recommendations.

Prerequisites for using with Venafi as a Service

  1. The Venafi as a Service REST API is accessible at from the system where VCert will be executed.
  2. You have successfully registered for a Venafi as a Service account, have been granted at least the "Resource Owner" role, and know your API key.
  3. A CA Account and Issuing Template exist and have been configured with:
    1. Recommended Settings values for:
      1. Organizational Unit (OU)
      2. Organization (O)
      3. City/Locality (L)
      4. State/Province (ST)
      5. Country (C)
    2. Issuing Rules that:
      1. (Recommended) Limits Common Name and Subject Alternative Name to domains that are allowed by your organization
      2. (Recommended) Restricts the Key Length to 2048 or higher
      3. (Recommended) Does not allow Private Key Reuse
  4. An Application exists where you are among the owners, and you know the Application Name.
  5. An Issuing Template is assigned to the Application, and you know its API Alias.

Contributing to VCert

Venafi welcomes contributions from the developer community.

  1. Fork it to your account (
  2. Clone your fork (git clone [email protected]:youracct/vcert-python.git)
  3. Create a feature branch (git checkout -b your-branch-name)
  4. Implement and test your changes
  5. Commit your changes (git commit -am 'Added some cool functionality')
  6. Push to the branch (git push origin your-branch-name)
  7. Create a new Pull Request (

NOTE: While developing with vcert-python, it is helpful if you are using a virtualenv to install the vcert-python library from source in development mode with pip install --editable. See


Copyright © Venafi, Inc. All rights reserved.

VCert is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Please direct questions/comments to [email protected].

  • Add support for UPN and URI SAN types

    Add support for UPN and URI SAN types

    This PR updates vcert-python to support additional SAN types, userPrincipalName and URL. The UPN extension was added per MS OID specifications. A fix to the tests was also made to ensure that custom extensions are added; the enroll method in was not properly evaluating the connection type and was skipping the code that added custom extensions to CSR. Also made a minor update to the README to help developers that are actively updating vcert-python itself. Note: this was developed and tested in Python 3 only.

    opened by wgoulet 8
  • TPPTokenConnection not able to customize ClientID

    TPPTokenConnection not able to customize ClientID

    TPPTokenConnection always sends client_id value equal to vcert-sdk. Paul Cleary requested that our products use a different client_id value, for tracking purposes to tell which integrations are seeing the most use in your customer base.

    However, TPPTokenConnection does not allow customizing client_id. TPPTokenConnection's constructor creates an Authentication object with only very limited customization options. The client which constructs TPPTokenConnection is not able to customize the Authentication object's client_id option.

    opened by FooBarWidget 2
  • TPPTokenConnection not able to customize OAuth scope

    TPPTokenConnection not able to customize OAuth scope

    PROBLEM SUMMARY TPPTokenConnection always uses the certificate:manage,revoke;configuration:manage scope when POSTing to /vedauth/authorize/oauth. This is hardcoded, as opposed to customizable.

    On my TPP this causes an authorization issue. I'm not able to authorize with my TPP until I remove the 'configuration:manage' scope.

    COMMENTS/WORKAROUNDS TPPTokenConnection's constructor creates an Authentication object with no way to customize its scope property. As a result, the Authentication object always uses the default SCOPE constant, whose value is certificate:manage,revoke;configuration:manage.

    opened by FooBarWidget 2
  • Examples link on pypi not working

    Examples link on pypi not working

    PROBLEM SUMMARY The link to examples,, on does not work. The same link from github's readme is fine.

    STEPS TO REPRODUCE Click the link :)





    opened by gdbarron 1
  • Support for central key/CSR generation or Service generation through Venafi TPP

    Support for central key/CSR generation or Service generation through Venafi TPP

    BUSINESS PROBLEM Most of my customers Certificate solutions use central key/CSR generation. They would like to use vcert-python but this is a blocker for them to deploy to their teams.

    PROPOSED SOLUTION Adding Service Generated Keys/CSRs to vcert-Python

    CURRENT ALTERNATIVES Customer is either building the certs manually through Venafi TPP UI and importing the certs manually or using the API to generate and then retrieve the cert then manually install the cert.

    VENAFI EXPERIENCE My customer has been using Venafi for well over a decade and uses Venafi on a daily basis to service their entire certificate inventory.

    opened by GeoffVenafi 1
  • Fix policy management for VaaS after Org Unit removed

    Fix policy management for VaaS after Org Unit removed

    The Org Unit construct was dropped from Venafi as a Service last week and since then the certificate policy assignment feature has not worked. This update addresses that.

    opened by tr1ck3r 0
  • Adding ability to disable subject fields for VaaS

    Adding ability to disable subject fields for VaaS

    The following fields can now be disabled when creating a Policy Specification on VaaS:

    • organization
    • organizational units
    • localities
    • states
    • countries

    To do so, an array with an empty string must be passedd to the attribute, e.g.: { "subject": { "orgs": [ "" ], "orgUnits": [ "" ], "localities": [ "sample_locality" ] } }

    opened by rvelaVenafi 0
  • Adding support for PKCS1 format on private keys

    Adding support for PKCS1 format on private keys

    VaaS and TPP now default private key formats to PKCS8, a flag has been introduced allowing users to indicate they want the private key on the legacy PKCS1 format

    opened by rvelaVenafi 0
  • fix: remove infinite while loop and added error handling for retrieve_cert()

    fix: remove infinite while loop and added error handling for retrieve_cert()

    Working with TPP, trying to retrieve a non-existing cert would result in an infinite while loop with the following error message...

    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}
    ERROR:root:Unknown error format: {'Error': 'Certificate test does not exist.'}

    Instead we now log the error once and raise a RetrieveCertificateNotFound error.

    opened by mowdash 0
  • Replicate the VCert-go GetZonesByParent() feature

    Replicate the VCert-go GetZonesByParent() feature

    From description.

    BUSINESS PROBLEM Both TPP and VaaS can support situations where multiple policies have been defined for use by a single consumer. For TPP, this is done by creating multiple child policy folders in a common parent policy folder. For VaaS, this is done by assigning multiple Issuing Templates to a single application.

    PROPOSED SOLUTION The new GetZonesByParent methods for TPP and VaaS allow VCert client SDK consumers to enumerate those policies (zones) rather than having to know them individually.

    opened by marcos-albornoz 0
  • Implement missing operations on Fake Connector

    Implement missing operations on Fake Connector

    The FakeConnector class is missing several operations. These operations should be returning mockup data for testing or demoing purposes.

    The following operations need implementation:

    • renew_cert(self, request, reuse_key=False):
    • read_zone_conf(self, tag):
    • import_cert(self, request):
    • get_policy(self, zone):
    • set_policy(self, zone, policy_spec):
    • request_ssh_cert(self, request):
    • retrieve_ssh_cert(self, request):
    • retrieve_ssh_config(self, ca_request):
    opened by rvelaVenafi 0
  • Refactor and optimize code

    Refactor and optimize code

    @warrior-abhijit has suggested several changes to vcert-python code. We can address them together in one issue.

    switch case will be better here ? Originally posted by @warrior-abhijit in

    address todo now ?? as these are lot of if, else in here Originally posted by @warrior-abhijit in

    regex match API would be lot better here and will remove lot of duplicate code below w.r.t regex match Originally posted by @warrior-abhijit in

    switch case may be here as well ? Originally posted by @warrior-abhijit in

    There is a handy Python wrapper called @property. This can be handy here. It would look like this: @property def base_url(self): # This is a getter return self._base_url

    @base_url.setter def base_url(self, value): # This is the setter method self._base_url = self._normalize_and_verify_base_url(value)

    It's nicer for refactoring and is pretty explicit. Originally posted by @HELGAHR in

    How safe is it in this method to assume that these dictionary keys resolve? I'm new to this code, but I usually think thrice before trying to access a node in the dictionary without .get(). Originally posted by @HELGAHR in

    Just a tidbit of input: Python string objects have a .startswith() method that's easier to read than a regex, although a regex works fine. Originally posted by @HELGAHR in

    No use in having a doc string if the parameters aren't described, IMO. Originally posted by @HELGAHR in

    opened by rvelaVenafi 0
  • v0.15.0(May 17, 2022)

    • Support for contacts/owners when creating a policy on both TPP and VaaS
    • Support for legacy PKCS1 format on private keys when requesting a certificate
    • Support for SANs: email, IP, URI when creating a policy on VaaS
    • Ability to disable Subject fields on VaaS: organizations, org units, localities, states, countries
    • Support for EC private keys on VaaS
    • Support for Service generated related attributes on VaaS
    Source code(tar.gz)
    Source code(zip)
  • v0.14.0(Feb 4, 2022)

    • Dropped for support for Python 2 as it has reached end of life. New baseline is Python 3.6 and higher.
    • Added integration with sonarcloud for test coverage.
    • Added version history file.
    • Added test cases for json/yaml file parsing.
    • Minor issues fixed.
    Source code(tar.gz)
    Source code(zip)
  • v0.13.2(Dec 7, 2021)

    • Added the ability to fill up the empty attributes of the certificate request with the default values of the policy/zone where the certificate is going to be created. Supported values: organization, organizational units, locality, state, country
    Source code(tar.gz)
    Source code(zip)
  • v0.13.1(Nov 30, 2021)

  • v0.13.0(Nov 30, 2021)

  • v0.12.5(Oct 30, 2021)

  • v0.12.4(Oct 12, 2021)

    • Support for PKCS12 has been added to the response certificate. Calling certificate.as_pkcs12("password") shall return the certificate content as PKCS12.
    • Support for flexible validity periods has been added. Setting a value to request.validity_hours =144 will create a certificate with the specified expiration time period. Additionally, an issuer can be defined for TPP with request.issuer_hint=IssuerHint.MICROSOFT (or any value available on the IssuerHint object)
    Source code(tar.gz)
    Source code(zip)
  • v0.12.3(Sep 29, 2021)

  • v0.12.2(Sep 27, 2021)

  • v0.12.1(Sep 2, 2021)

    • Removed 'keyReuse' attribute for policy specification creation on VaaS.
    • Fixed an issue on the url validation that failed for urls containing upper cases.
    Source code(tar.gz)
    Source code(zip)
  • v0.12.0(Aug 17, 2021)

    Added support for SSH certificates in Trust Protection Platform through the new methods: request_ssh_cert() and retrieve_ssh_cert(). For usage examples check:

    Source code(tar.gz)
    Source code(zip)
  • v0.11.2(Jul 29, 2021)

  • v0.11.1(Jul 14, 2021)

    • Policy Management token scope separated from Certificate Management scope. Certificate Management scope is now default.
    • Fixed an issue where retrieving a policy from VaaS returned the domains values with appended regexes if the Policy was created using any of the vcert sdks. This issue does not happen if the policy was created using VaaS UI.
    • Fixed an issue where the Country regexes where being returned as the CN regexes when retrieving a Policy from VaaS.
    • Fixed an issue where certificates requested from VaaS would fail to be retrieved even when the status of the Certificate is ISSUED. A timeout has been added to the request, so the sdk will try to retrieve the Certificate for that long before failing.
    Source code(tar.gz)
    Source code(zip)
  • v0.11.0(May 12, 2021)

    Added Certificate Policy Management for Trust Protection Platform and Venafi as a Service through the new set_policy() and get_policy() methods of the CloudConnection, TPPConnection and TPPTokenConnection classes. For a usage example see

    Source code(tar.gz)
    Source code(zip)
  • v0.10.0(Jan 23, 2021)

    This release updates the Venafi Cloud integration to use OutagePREDICT instead of DevOpsACCELERATE. The only impact to Venafi Cloud users of VCert-Python is the change in zone syntax. The zone is now "{ApplicationName}\{IssuingTemplateApiAlias}" (e.g. "My Application\My CIT").

    Source code(tar.gz)
    Source code(zip)
  • v0.9.1(Dec 15, 2020)

  • v0.9.0(Sep 30, 2020)

  • v0.8.0(Apr 10, 2020)

  • v0.7.4(Jan 14, 2020)

  • v0.7.0(Nov 20, 2019)

  • v0.6.9(Nov 18, 2019)

  • v0.6.7(Oct 29, 2019)

  • csr-fix(Sep 11, 2019)

  • v0.3.1(Jan 11, 2019)

  • v0.3.0(Jan 10, 2019)

Venafi, Inc.
Venafi solutions find, protect and secure machine identities for our hyper-connected world.
Venafi, Inc.
Flames Calculater App used to calculate flames status between two names created using python's Flask web framework.

Flames Finder Web App Flames Calculater App used to calculate flames status between two names created using python's Flask web framework. First, App g

Siva Prakash 4 Jan 02, 2022
Addons like multipages for streamlit webapp

streamlit_pages Installation $ pip install streamlit-pages Features Adding multiple pages to streamlit Sharing specific pages Usage import streamlit

36 Dec 25, 2022
This repository contains code for building education startup.

Learning Management System Overview It's the code for EssayBrain, a tool for teacher that automatically grades and validates essays. In order to valid

Shyam Das Shrestha 1 Nov 21, 2021
A Python wrapper API for operating and working with the Neo4j Graph Data Science (GDS) library

gdsclient NOTE: This is a work in progress and many GDS features are known to be missing or not working properly. This repo hosts the sources for gdsc

Neo4j 100 Dec 20, 2022
A clock widget for linux ez to use no need for cmd line ;)

A clock widget in LINUX A clock widget for linux ez to use no need for cmd line ;) How to install? oh its ez just go to realese! what are the paltform

1 Feb 15, 2022
Is a polybar module that will show you your progress in Hack The Box

HTB-Status for Polybar Is a polybar module that will show you your progress in Hack The Box indicating your current rank, global rank, points and resp

bitc0de 8 Jan 14, 2022
Script to produce `.tex` files of example GAP sessions

Introduction The main file in this directory is used to produce .tex files of example GAP sessions. Instructions Run python [G

Friedrich Rober 2 Oct 06, 2022
A few of my adventures with Devito.

Devito-playbox A few of my adventures with Devito. This repository contains a few notebooks and scripts that will lead me in the road of learning this

Átila Saraiva Quintela Soares 1 Feb 08, 2022
AIST++ API This repo contains starter code for using the AIST++ dataset.

Explainability for Vision Transformers (in PyTorch) This repository implements methods for explainability in Vision Transformers

Google 260 Dec 30, 2022
This Python3 script will monitor Upwork RSS feed and then email you the results.

Upwork RSS Parser This Python3 script will monitor Upwork RSS feed and then email you the results. Table of Contents General Info Technologies Used Fe

Chris 5 Nov 29, 2021
This program can calculate the Aerial Distance between two cities.

Aerial_Distance_Calculator This program can calculate the Aerial Distance between two cities. This repository include both Jupyter notebook and Python

InvisiblePro 1 Apr 08, 2022

一个Graia-Saya的插件仓库 这是一个存储基于 Graia-Saya 的插件的仓库 如果您有这类项目

ZAPHAKIEL 111 Oct 24, 2022
API for SpeechAnalytics integration with FreePBX/Asterisk

freepbx_speechanalytics_api API for SpeechAnalytics integration with FreePBX/Asterisk Скопировать файл в и отредактиров

Iqtek, LLC 3 Nov 03, 2022
Demo Python project using Conda and Poetry

Conda Poetry This is a demonstration of how Conda and Poetry can be used in a Python project for dev dependency management and production deployment.

Ryan Allen 2 Apr 26, 2022
To attract customers, the hotel chain has added to its website the ability to book a room without prepayment

To attract customers, the hotel chain has added to its website the ability to book a room without prepayment. We need to predict whether the customer is going to reject the booking or not. Since in c

Taychinov Evgeniy 0 Aug 04, 2022
The code submitted for the Analytics Vidhya Jobathon - February 2022

Introduction On February 11th, 2022, Analytics Vidhya conducted a 3-day hackathon in data science. The top candidates had the chance to be selected by

11 Nov 21, 2022
Load dependent libraries dynamically.

dypend dypend Load dependent libraries dynamically. A few days ago, I encountered many users feedback in an open source project. The Problem is they c

Louis 5 Mar 02, 2022
Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns

Diffraction Simulations - Angular Spectrum Method Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns with arbitr

Rafael de la Fuente 276 Dec 30, 2022
Logo DYS (Doküman Yönetim Sitemi) API Python Implementation

dys-connector Logo DYS (Dokuman Yonetim Sistemi) API Python Implementation Python Package: Quick Start from dys

Logo Group 8 Mar 19, 2022
Wrapper for the undocumented CodinGame API. Can be used both synchronously and asynchronlously.

codingame API wrapper Pythonic wrapper for the undocumented CodinGame API. Installation Python 3.6 or higher is required. Install codingame with pip:

Takos 19 Jun 20, 2022