tiny_ca.db.models module¶
SQLAlchemy ORM models and status enumerations for the certificate registry.
Module-level contents¶
CertificateStatus—StrEnumrepresenting the lifecycle state of acertificate row.
CertificateRecord— ORM-mapped table that stores all metadata for issued,revoked, and expired certificates.
Design notes¶
CertificateStatususesStrEnumso that values are stored as plain strings in the database, making the Column human-readable and compatible with non-Python tooling that queries the database directly.CertificateRecordstores the full PEM-encoded public certificate so the certificate can be reconstructed independently of the filesystem artefacts.serial_numberis stored asString(notInteger) because X.509 serial numbers can be up to 20 bytes / 160 bits, exceeding the range of a 64-bit SQL integer on most backends.uuidlinks the database record to the filesystem folder managed byBaseStorage, enabling clean deletion of both the DB row and the corresponding files together.
- class tiny_ca.db.models.CertificateRecord(**kwargs)[source]¶
Bases:
BaseORM model for a single certificate entry in the registry.
Maps to the
certificatestable. Each row represents one certificate that has been issued by the CA, regardless of its current lifecycle state.Columns¶
- idint
Auto-incremented surrogate primary key. Not exposed to application code; use
serial_numberas the business key.- serial_numberstr
X.509 serial number stored as a decimal string. Unique and indexed. String storage avoids integer overflow for 160-bit serials (RFC 5280).
- common_namestr
Common Name (CN) extracted from the certificate Subject at issuance time. Not unique; the same CN may appear across different certificate generations (e.g. after rotation).
- statusstr
Current lifecycle state. One of the
CertificateStatusvalues:"valid","revoked","expired", or"unknown". Defaults toCertificateStatus.VALIDon insertion.- not_valid_beforedatetime
Start of the certificate’s validity period (UTC, naive datetime as stored by SQLAlchemy’s
DateTimeColumn type).- not_valid_afterdatetime
End of the certificate’s validity period (UTC, naive datetime). Indexed to allow efficient queries for expired certificates.
- key_typestr
Certificate category stored as the
CertTypeenum’s string value (e.g."ca","device","service"). Defaults toCertType.DEVICE.value.- certificate_pemstr
Full PEM-encoded public certificate. Allows reconstruction of the
x509.Certificateobject without accessing the filesystem.- revocation_datedatetime | None
UTC timestamp at which the certificate was revoked.
Nonefor non-revoked certificates.- revocation_reasonint | None
RFC 5280 §5.3.1 revocation reason code stored as an integer.
Nonefor non-revoked certificates. Maps to the integer value of the correspondingx509.ReasonFlagsmember.- uuidstr | None
UUID string that identifies the filesystem folder (managed by
BaseStorage) holding the.pem,.key, and.csrfiles for this certificate.Noneif no filesystem artefacts exist.
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.
- __init__(**kwargs)¶
A simple constructor that allows initialization from kwargs.
Sets attributes on the constructed instance using the names and values in
kwargs.Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.