or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

index.md
tile.json

tessl/pypi-certifi

Python package for providing Mozilla's CA Bundle for SSL certificate validation

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
pypipkg:pypi/certifi@2024.12.x

To install, run

npx @tessl/cli install tessl/pypi-certifi@2024.12.0

index.mddocs/

Certifi

Python package for providing Mozilla's carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. It has been extracted from the Requests project and serves as a reliable and highly portable root of trust to Python deployments.

Package Information

  • Package Name: certifi
  • Package Type: pypi
  • Language: Python
  • Installation: pip install certifi

Core Imports

import certifi

For accessing specific functions:

from certifi import where, contents

Basic Usage

import certifi

# Get the path to the CA bundle file
ca_bundle_path = certifi.where()
print(ca_bundle_path)
# Output: /path/to/site-packages/certifi/cacert.pem

# Get the contents of the CA bundle
ca_bundle_contents = certifi.contents()
print(ca_bundle_contents[:100])  # First 100 characters
# Output: -----BEGIN CERTIFICATE-----
# MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw...

Command line usage:

# Get the path to the CA bundle
python -m certifi
# Output: /path/to/site-packages/certifi/cacert.pem

# Get the contents of the CA bundle
python -m certifi --contents
# Output: -----BEGIN CERTIFICATE-----
# MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw...

Capabilities

Certificate Bundle Path Access

Returns the filesystem path to the bundled CA certificate file (cacert.pem).

def where() -> str:
    """
    Get the filesystem path to the bundled CA certificate file.
    
    Returns:
        str: The absolute path to the cacert.pem file containing Mozilla's 
             CA certificate bundle. The file is guaranteed to exist and be readable.
    """

The where() function uses version-specific implementations to handle different Python environments:

  • Python 3.11+: Uses importlib.resources.as_file and files
  • Python 3.7+: Uses importlib.resources.path and manages resource cleanup
  • Python < 3.7: Falls back to direct filesystem path manipulation

Certificate Bundle Contents Access

Returns the complete contents of the CA certificate bundle as a string.

def contents() -> str:
    """
    Get the contents of the bundled CA certificate file.
    
    Returns:
        str: The complete contents of the cacert.pem file as ASCII text,
             containing Mozilla's CA certificate bundle in PEM format.
             Each certificate begins with "-----BEGIN CERTIFICATE-----"
             and ends with "-----END CERTIFICATE-----".
    """

The contents() function also uses version-specific implementations:

  • Python 3.11+: Uses importlib.resources.files with read_text
  • Python 3.7+: Uses importlib.resources.read_text
  • Python < 3.7: Reads directly from the filesystem using the where() function

Module Attributes

__version__ = "2024.12.14"
__all__ = ["contents", "where"]

Command Line Interface

The package can be executed as a module to access certificate bundle information from the command line:

# Default behavior: print path to CA bundle
python -m certifi

# Print contents of CA bundle
python -m certifi -c
python -m certifi --contents

Usage Examples

SSL Context Configuration

import ssl
import certifi

# Create SSL context with certifi's CA bundle
context = ssl.create_default_context(cafile=certifi.where())

# Use in urllib
import urllib.request
urllib.request.urlopen('https://example.com', context=context)

Requests Library Integration

import requests
import certifi

# Use certifi's CA bundle explicitly
response = requests.get('https://example.com', verify=certifi.where())

Certificate Validation

import certifi

# Verify the CA bundle exists and contains certificates
ca_path = certifi.where()
ca_contents = certifi.contents()

print(f"CA bundle location: {ca_path}")
print(f"Number of certificates: {ca_contents.count('-----BEGIN CERTIFICATE-----')}")

Architecture Notes

  • Read-only Design: The package explicitly does not support modification of the CA trust store content
  • Portability: Designed for maximum compatibility across Python environments and deployment scenarios
  • Resource Management: Handles resource cleanup properly across different Python versions
  • Version Compatibility: Supports Python 3.6+ with fallback implementations for older importlib.resources APIs
  • Bundle Source: Uses Mozilla's carefully curated CA certificate collection
  • Update Strategy: Certificate bundle is updated with new package releases, not dynamically

Error Handling

The package is designed to be robust and typically does not raise exceptions under normal usage. However, potential issues include:

  • File Access: If the cacert.pem file becomes corrupted or inaccessible, where() may still return a path but contents() could fail when reading
  • Resource Cleanup: The package registers cleanup handlers with atexit to manage resource contexts properly
  • Import Errors: Fallback implementations handle cases where newer importlib.resources APIs are not available

Security Considerations

  • Trust Store Integrity: The CA bundle cannot be modified at runtime, ensuring consistent certificate validation
  • Source Authority: Certificates come directly from Mozilla's curated collection
  • No Dynamic Updates: Certificate updates require new package versions, preventing runtime tampering
  • System Integration: Designed to work alongside system certificate stores without conflicts