Certificate Authority¶

lacme.ca ¶

Lightweight Certificate Authority for internal/mTLS use.

Generates a self-signed root CA certificate and signs server/client certificates. Uses the :class:~lacme.store.Store protocol for persistence.

CertificateAuthority ¶

Lightweight Certificate Authority for internal/mTLS use.

Generates a self-signed root CA certificate and signs server/client certificates. Uses the :class:~lacme.store.Store protocol for persistence.

initialized `property` ¶

initialized: bool

True if init() has been called.

root_cert_pem `property` ¶

root_cert_pem: bytes

The PEM-encoded root CA certificate.

init ¶

init(*, cn: str = 'lacme Internal CA', validity_days: int = 3650) -> None

Initialize the CA: generate or load root CA cert + key.

If a store is provided and a root CA already exists (via store.load_ca(name)), loads it. Otherwise generates a new self-signed root.

issue ¶

issue(names: str | list[str | IPv4Address | IPv6Address], *, client: bool = False, validity_days: int = 1, validity_hours: int | None = None) -> CertBundle

Issue a server or client certificate signed by this CA.

Parameters:

Name	Type	Description	Default
`names`	`str \| list[str \| IPv4Address \| IPv6Address]`	Domain name(s) and/or IP addresses for SANs.	required
`client`	`bool`	If True, issue client cert (clientAuth EKU). Default: server cert (serverAuth EKU).	`False`
`validity_days`	`int`	Certificate validity in days (default 1 = 24 hours).	`1`
`validity_hours`	`int \| None`	If provided, overrides validity_days.	`None`

Returns:

Type	Description
`CertBundle`	CertBundle with cert_pem, fullchain_pem (leaf + root), key_pem.

Raises:

Type	Description
`CertificateAuthorityError`	If not initialized.

issue_from_csr ¶

issue_from_csr(csr_der: bytes, *, client: bool = False, validity_days: int = 1, validity_hours: int | None = None) -> CertBundle

Sign an externally-provided CSR.

Used by ACMEResponder's finalize endpoint. Extracts SANs from the CSR. The CSR's public key is used (no new key generated).