Access OS Root Certificates

2.0.6 · active · verified Sat Apr 11

wassima is a Python library designed to simplify access to your operating system's root certificates, aiming to provide similar ease of use as `certifi` but leveraging the system's native trust store. It is currently at version 2.0.6 and maintains an active release cadence, primarily for bug fixes and updates to its embedded CA bundle.

Warnings

breaking Version 2.0.0 removed the native Rust extension, the `RUSTLS_LOADED` constant, and the `python -m wassima` debugging utility. Code relying on these features will break. The library is now pure Python.
Fix: Update imports and remove references to `RUSTLS_LOADED`. For debugging, inspect `wassima`'s internal logic directly. Be aware of potential performance changes due to the shift to pure Python.
breaking The optional dependency on `certifi` was removed in `wassima` 2.0.0. While `wassima` now includes its own embedded CCADB bundle as a fallback, users who previously relied on `certifi`'s specific trust behavior might experience different trust store resolution.
Fix: Review your application's trust requirements. `wassima` will now use its internal CCADB bundle if the system trust store cannot be found or loaded, which might have different implications than `certifi`'s bundle.
gotcha `wassima` might encounter OS-specific issues or permissions errors when attempting to discover and load system trust stores. Past versions have seen fixes for PermissionError on Linux, deep scan slowness on FreeBSD, and MacOS truststore inconsistencies.
Fix: Ensure your `wassima` installation is up-to-date (2.0.6 or newer). If issues persist, verify file permissions for system certificate directories or consult `wassima`'s GitHub issues for OS-specific troubleshooting.
gotcha If `wassima` cannot find or load the official system trust store, it will silently fall back to an embedded CCADB bundle. This might lead to unexpected trust decisions if the embedded bundle's policy differs from the system's intended policy.
Fix: Monitor logs or debug `wassima`'s internal certificate loading process if you suspect an incorrect trust store is being used. Ensure your system's trust store is correctly configured and accessible to the Python process running `wassima`.

Install

pip install wassima Install wassima

Imports

get_certs_paths
```
from wassima import get_certs_paths
```
trust_manager
```
from wassima import trust_manager
```

Quickstart

This quickstart demonstrates how to obtain an `ssl.SSLContext` object configured with your operating system's root certificates using `wassima.trust_manager()`. This context can then be passed to HTTP clients for secure communication.

import ssl
from wassima import trust_manager

# Get an SSLContext configured with system trust store
# This context can be used with HTTP clients like `requests` or `httpx`.
context: ssl.SSLContext = trust_manager()

print(f"SSLContext type: {type(context)}")
print(f"Context protocol: {context.protocol}")

# You can optionally inspect loaded certificates (example):
# for cert in context.get_ca_certs():
#     print(f"  Loaded CA: {cert.subject.rfc4514_string()}")

# Example usage with `requests` (if installed):
# import requests
# try:
#     response = requests.get("https://example.com", verify=context)
#     print(f"Request to example.com successful: {response.status_code}")
# except Exception as e:
#     print(f"Request failed: {e}")

view raw JSON →