Python Libraries

Peeringhub provides two Python packages for service providers who want to generate and operate STIR/SHAKEN certificates from a Python-based workflow:

• stir-shaken-toolkit is the reusable toolkit. Use it when you want a command-line utility or Python library for ACME, TNAuthList, STI-PA SPC tokens, CSRs, certificate inspection, and Peeringhub certificate issuance.

• shaken-cert-manager is the lifecycle manager. Use it when you want a Certbot-style operations tool that keeps the active certificate current, manages archive/live state, runs deployment hooks, reports status, renews certificates, and cleans up old material.

The video walkthrough SHAKEN Cert Manager intro explains the intended operating model: use the toolkit for the low-level STIR/SHAKEN and ACME work, then use the manager when you need repeatable certificate operations on a production signing server.

Which Python project should I use?

Use stir-shaken-toolkit when you are learning the flow, testing Peeringhub issuance, building your own automation, or integrating certificate issuance into an existing Python service. It exposes provider-neutral RFC 8555 ACME primitives, STIR/SHAKEN-specific helpers, and Peeringhub defaults.

Use shaken-cert-manager when the certificate must be maintained over time. It is the operational layer on top of stir-shaken-toolkit. It tracks which certificate generation is active, keeps old generations in an archive, publishes stable live/current links, decides when renewal is needed, and provides status, renew, force-renew, and cleanup commands.

Neither package signs calls by itself. Your STI-AS, SIP proxy, or signing service still signs outbound calls and inserts the SIP Identity header. The Python tools only help you obtain, publish, rotate, inspect, and monitor the STIR/SHAKEN certificate material used by that signing service.

Prerequisites

Before using either Python package, prepare these values:

• Python 3.10 or later.

• An active Peeringhub STI-CA account.

• The Peeringhub ACME key identifier, also called ACME_KID.

• STI-PA credentials: STIPA_USER_ID, STIPA_PASSWORD, and STIPA_SP_ID.

• Your service provider code, usually the same value as the OCN/SPC, for example 818H.

• Certificate subject values, including country, state, locality, and organization.

• A secure location for the ACME account key, for example /var/lib/shaken/account/account.key.

• A public HTTPS URL where your signing service can publish the active certificate-chain.pem. This URL is the certificate URL used by PASSporT x5u.

Install the packages in a virtual environment:

Option 1: Issue a certificate directly with stir-shaken-toolkit

stir-shaken-toolkit is the best starting point because it shows every important step in the Peeringhub issuance flow. The package is split into three layers:

• acme_core: provider-neutral ACME request signing, nonces, accounts, orders, challenges, finalization, and download logic.

• stir_shaken_acme: STIR/SHAKEN-specific helpers for TNAuthList, STI-PA SPC tokens, fingerprints, CSRs, certificate issuance, inspection, and validation.

• stir_shaken_toolkit.providers.peeringhub: Peeringhub defaults and convenience APIs so operators do not need to build the ACME profile by hand.

Start by exporting the required values. Replace the example values with your own production values:

Create or verify the Peeringhub ACME account directory:

This creates or verifies two important files:

• account.key: the durable EC P-256 private key used for Peeringhub ACME account authentication.

• account.json: a recoverable cache of the Peeringhub ACME account URL.

For Peeringhub issuance, the same account.key is used for ACME request signing, the STI-PA SPC token fingerprint, the CSR public key, and the final certificate/private-key pair. Protect it like any other production private key.

Issue the certificate:

During issuance, the toolkit performs this flow:

1. Prepares or verifies the local Peeringhub ACME account.

2. Builds the TNAuthList value from your SPC.

3. Generates the fingerprint required for the STI-PA SPC token.

4. Requests and validates the STI-PA SPC token.

5. Creates a Peeringhub ACME order.

6. Submits the tkauth-01 challenge.

7. Builds a CSR using the local ACME account key.

8. Finalizes the ACME order.

9. Downloads and validates the issued STIR/SHAKEN certificate chain.

By default, the command writes artifacts to a timestamped directory such as:

The output directory contains:

• csr.pem: the CSR submitted to Peeringhub.

• csr.der: the DER form of the same CSR.

• leaf.pem: the issued subscriber certificate.

• certificate-chain.pem: the subscriber certificate followed by the Peeringhub intermediate certificate.

• issuance.json: issuance metadata, order URLs, certificate URLs, validation details, subject details, and the account key path used for the CSR.

The output directory does not contain a private key. The matching private key is the ACME account key. In most deployments, publish certificate-chain.pem at your public STIR/SHAKEN certificate URL and configure your signing system to use account.key as the private key. Do not publish account.key.

You can inspect the certificate and verify that the key matches:

Option 2: Operate certificates with shaken-cert-manager

shaken-cert-manager is for servers that need ongoing certificate management. The manager owns a state directory, usually /var/lib/shaken, and keeps a safe operational layout:

The archive directory is the durable certificate history. The live directory exposes stable paths to currently usable generations. live/current points to the active generation, which makes it easy for a web server or deploy hook to publish the current certificate-chain.pem without changing application configuration every time a certificate is renewed.

Create a private manager config file:

A minimal production config looks like this:

Create or verify the ACME account key first:

Issue the first certificate:

issue-initial only issues a certificate when no active usable certificate exists. If an active certificate is already present, it exits successfully without replacing it.

Check status:

Use status --json for local automation and status --nagios for monitoring systems. The Nagios output includes a status code and certificate days remaining, so your monitoring system can alert before the certificate becomes unsafe to use.

Run renewal from your scheduler:

renew checks the active certificate first. It only issues a replacement when the certificate is inside the configured renewal window, when active state is critical, or when the active certificate needs replacement. For deliberate manual replacement, use:

For non-interactive operations, add --skip-confirm:

Run cleanup periodically:

Cleanup removes expired inactive archives, stale live links, and old failed transaction directories. It does not remove the active certificate generation.

Automating renewal

A simple cron job can run renewal twice per day:

For systemd hosts, use a timer instead. A systemd timer can add randomized delay, persistent catch-up after missed runs, and structured logs. Keep lifecycle hooks in the YAML config; the scheduler should only run renew.

How this connects to call signing

After issuance, the signing system needs two things:

• The private key, stored locally and readable only by the signing service. With Peeringhub issuance this is usually /var/lib/shaken/account/account.key.

• A public HTTPS URL that serves the active certificate-chain.pem, usually from /var/lib/shaken/live/current/certificate-chain.pem or a web-server path updated by the deploy hook.

The signing service uses the private key to sign PASSporT tokens and places the public certificate URL in the SIP Identity header as x5u. Downstream verifiers download the certificate chain from that URL and validate the signature. If the private key and certificate do not match, verification will fail.

Using the toolkit from Python code

Use the Python API when you need the issuance flow inside your own application instead of calling the CLI. This example shows the shape of a Peeringhub issuer: