{"id":4818,"library":"trustme","title":"Trustme: TLS Certs for Testing","description":"Trustme is a tiny Python package designed to generate fake (but technically real) TLS certificates for use in test suites. It provides a simple way to create a certificate authority (CA) and issue server certificates, which can then be used to configure SSL context objects for testing network clients and servers. The current version is 1.2.1, with releases typically tied to Python version support and bug fixes.","status":"active","version":"1.2.1","language":"en","source_language":"en","source_url":"https://github.com/python-trio/trustme","tags":["tls","ssl","certificates","testing","security","cryptography"],"install":[{"cmd":"pip install -U trustme","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Core library for cryptographic operations and certificate generation.","package":"cryptography","optional":false},{"reason":"Provides Python bindings to the OpenSSL library; used for SSL context interaction.","package":"pyOpenSSL","optional":false},{"reason":"Internationalized Domain Names in Applications (IDNA) support, sometimes a transitive but necessary dependency.","package":"idna","optional":false}],"imports":[{"symbol":"trustme","correct":"import trustme"},{"note":"Main class for creating a Certificate Authority.","symbol":"CA","correct":"ca = trustme.CA()"},{"note":"Class representing a issued certificate, typically obtained from a CA instance.","symbol":"LeafCert","correct":"server_cert = ca.issue_cert('hostname')"}],"quickstart":{"code":"import trustme\nimport ssl\n\n# 1. Create a fake Certificate Authority (CA)\nca = trustme.CA()\n\n# 2. Issue a server certificate signed by the CA\n#    The identities specify what hostnames/IPs the cert is valid for\nserver_cert = ca.issue_cert(b'localhost', '127.0.0.1', '::1', 'test-host.example.org')\n\n# 3. Create an SSLContext for a server\nserver_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)\nserver_context.minimum_version = ssl.TLSVersion.TLSv1_2 # Ensure modern TLS\n\n# 4. Configure the server_context to use the issued server certificate\nserver_cert.configure_cert(server_context)\n\n# 5. Create an SSLContext for a client\nclient_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)\nclient_context.minimum_version = ssl.TLSVersion.TLSv1_2\n\n# 6. Configure the client_context to trust the CA that signed the server cert\nca.configure_trust(client_context)\n\nprint(\"Certificates and SSL contexts configured successfully.\")\n# You can now use server_context and client_context in your server/client applications\n# For example, with asyncio or trio for network communication.","lang":"python","description":"This quickstart demonstrates how to programmatically create a Certificate Authority (CA), issue a server certificate, and configure both server and client SSL contexts to use and trust these certificates. This setup is ideal for local testing of TLS-secured applications."},"warnings":[{"fix":"Ensure your project is running on Python 3.9+ (3.10+ recommended for full compatibility with latest versions) and update your Python environment if necessary.","message":"Support for older Python versions has been removed. Version 1.2.0 removed support for Python 3.8 and PyPy 3.9. Version 1.1.0 removed support for Python 3.7.","severity":"breaking","affected_versions":">=1.1.0, >=1.2.0"},{"fix":"Upgrade to `trustme` 1.2.1 or newer. Review any direct interactions with `pyOpenSSL` objects obtained from `trustme` to ensure compatibility with `cryptography`-backed APIs.","message":"The use of deprecated `pyOpenSSL` APIs has been updated to non-deprecated `cryptography` APIs in version 1.2.1. While `trustme` handles this internally, users relying on specific `pyOpenSSL` patterns for deeper integration might need to review their code if migrating from very old `trustme` versions or directly manipulating `pyOpenSSL` objects exposed by `trustme`.","severity":"deprecated","affected_versions":"<1.2.1"},{"fix":"Prefer using the `--identities` option for specifying hostnames/IPs for certificates, as this properly populates Subject Alternative Names (SANs).","message":"The `--common-name` option in the command-line interface (`python -m trustme`) is deprecated. Common Name (CN) is a legacy field for identifying certificates; modern TLS relies on Subject Alternative Names (SANs).","severity":"deprecated","affected_versions":"All"},{"fix":"While this issue is likely resolved in modern `trustme` distributions, if you encounter `ModuleNotFoundError` for `idna`, explicitly install it: `pip install idna`.","message":"The `idna` library, a dependency of `trustme` (via `cryptography` or `pyOpenSSL`), was historically not always explicitly listed as a direct dependency in `trustme`'s `setup.py` or `pyproject.toml` for some package managers, leading to installation or runtime errors.","severity":"gotcha","affected_versions":"<1.2.1 (historically)"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}