PyPI - devnomads-cli - Versions diffs - 0.5.0__tar.gz → 0.5.1__tar.gz - Mend

devnomads-cli 0.5.0tar.gz → 0.5.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

{devnomads_cli-0.5.0 → devnomads_cli-0.5.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.5.0
+Version: 0.5.1
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -141,8 +141,10 @@ DNS-01 challenge records would not be visible to the CA.
 The certificate is always written to `~/.config/dncli/certs/<domain>/`
 as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
-Pass `--out <file>` to additionally export a single PEM bundle (key,
-then certificate, then intermediate, in that order).
+Pass `--out <file>` to additionally export a single PEM bundle of
+exactly three blocks - the key, the certificate, and the issuing
+intermediate, in that order. Add `-v`/`--verbose` for detailed ACME
+progress.
 Keys are ECDSA P-384 by default. Pick another with `--key-type`
 (`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
@@ -150,14 +152,20 @@ Keys are ECDSA P-384 by default. Pick another with `--key-type`
 Re-running `cert issue` is a no-op while the existing certificate is
 still valid for more than 21 days; pass `--force` to re-issue anyway.
-List what you have issued and re-export any of them as a single PEM
-bundle without re-issuing:
+List what you have issued and re-export any of them - as a PEM bundle
+or a PKCS#12 (`.pfx`) file - without re-issuing:
 ```sh
 dncli cert list
-dncli cert export example.com --out bundle.pem   # omit --out to print
+dncli cert export example.com --out bundle.pem    # omit --out to print
+dncli cert export example.com --format pfx --out bundle.pfx
+dncli cert export example.com --format pfx --out bundle.pfx --passphrase secret
 ```
+The `.pfx` is unencrypted unless you pass `--passphrase` (alias
+`--password`). Both bundle formats carry the same three items: key,
+certificate, and the issuing intermediate.
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 ```sh

{devnomads_cli-0.5.0 → devnomads_cli-0.5.1}/README.md RENAMED Viewed

@@ -125,8 +125,10 @@ DNS-01 challenge records would not be visible to the CA.
 The certificate is always written to `~/.config/dncli/certs/<domain>/`
 as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
-Pass `--out <file>` to additionally export a single PEM bundle (key,
-then certificate, then intermediate, in that order).
+Pass `--out <file>` to additionally export a single PEM bundle of
+exactly three blocks - the key, the certificate, and the issuing
+intermediate, in that order. Add `-v`/`--verbose` for detailed ACME
+progress.
 Keys are ECDSA P-384 by default. Pick another with `--key-type`
 (`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
@@ -134,14 +136,20 @@ Keys are ECDSA P-384 by default. Pick another with `--key-type`
 Re-running `cert issue` is a no-op while the existing certificate is
 still valid for more than 21 days; pass `--force` to re-issue anyway.
-List what you have issued and re-export any of them as a single PEM
-bundle without re-issuing:
+List what you have issued and re-export any of them - as a PEM bundle
+or a PKCS#12 (`.pfx`) file - without re-issuing:
 ```sh
 dncli cert list
-dncli cert export example.com --out bundle.pem   # omit --out to print
+dncli cert export example.com --out bundle.pem    # omit --out to print
+dncli cert export example.com --format pfx --out bundle.pfx
+dncli cert export example.com --format pfx --out bundle.pfx --passphrase secret
 ```
+The `.pfx` is unencrypted unless you pass `--passphrase` (alias
+`--password`). Both bundle formats carry the same three items: key,
+certificate, and the issuing intermediate.
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 ```sh

{devnomads_cli-0.5.0 → devnomads_cli-0.5.1}/devnomads_cli.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devnomads-cli
-Version: 0.5.0
+Version: 0.5.1
 Summary: Manage your DevNomads services from the command line
 Author-email: DevNomads <support@devnomads.nl>
 License: MIT
@@ -141,8 +141,10 @@ DNS-01 challenge records would not be visible to the CA.
 The certificate is always written to `~/.config/dncli/certs/<domain>/`
 as `cert.pem`, `fullchain.pem`, `chain.pem`, and `privkey.pem` (0600).
-Pass `--out <file>` to additionally export a single PEM bundle (key,
-then certificate, then intermediate, in that order).
+Pass `--out <file>` to additionally export a single PEM bundle of
+exactly three blocks - the key, the certificate, and the issuing
+intermediate, in that order. Add `-v`/`--verbose` for detailed ACME
+progress.
 Keys are ECDSA P-384 by default. Pick another with `--key-type`
 (`ecdsa256`, `ecdsa384`, `ecdsa521`, `rsa2048`, `rsa4096`).
@@ -150,14 +152,20 @@ Keys are ECDSA P-384 by default. Pick another with `--key-type`
 Re-running `cert issue` is a no-op while the existing certificate is
 still valid for more than 21 days; pass `--force` to re-issue anyway.
-List what you have issued and re-export any of them as a single PEM
-bundle without re-issuing:
+List what you have issued and re-export any of them - as a PEM bundle
+or a PKCS#12 (`.pfx`) file - without re-issuing:
 ```sh
 dncli cert list
-dncli cert export example.com --out bundle.pem   # omit --out to print
+dncli cert export example.com --out bundle.pem    # omit --out to print
+dncli cert export example.com --format pfx --out bundle.pfx
+dncli cert export example.com --format pfx --out bundle.pfx --passphrase secret
 ```
+The `.pfx` is unencrypted unless you pass `--passphrase` (alias
+`--password`). Both bundle formats carry the same three items: key,
+certificate, and the issuing intermediate.
 A dehydrated-compatible DNS-01 hook ships as `dncli-dns-hook`:
 ```sh

{devnomads_cli-0.5.0 → devnomads_cli-0.5.1}/dncli.py RENAMED Viewed

@@ -24,6 +24,7 @@ import hashlib
 import hmac
 import io
 import json
+import logging
 import os
 import secrets
 import stat
@@ -107,15 +108,19 @@ def load_credentials() -> configparser.ConfigParser:
     return parser
-def _write_private(path: Path, content: str) -> None:
+def _write_private_bytes(path: Path, data: bytes) -> None:
     path.parent.mkdir(parents=True, exist_ok=True)
     path.parent.chmod(0o700)
     fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
-    with os.fdopen(fd, "w") as fh:
-        fh.write(content)
+    with os.fdopen(fd, "wb") as fh:
+        fh.write(data)
     path.chmod(0o600)
+def _write_private(path: Path, content: str) -> None:
+    _write_private_bytes(path, content.encode())
 def save_credentials(parser: configparser.ConfigParser) -> None:
     buffer = io.StringIO()
     parser.write(buffer)
@@ -1374,6 +1379,26 @@ REQUIRED_NAMESERVERS = (
 )
+class _ProgressHandler(logging.Handler):
+    """Route the devnomads library's log records to stderr in the CLI's
+    muted style, so cert issuance shows what it is doing step by step."""
+    def emit(self, record: logging.LogRecord) -> None:
+        try:
+            err_console.print(f"[dim]{escape(record.getMessage())}[/]", soft_wrap=True)
+        except Exception:  # pragma: no cover - logging must never crash the CLI
+            self.handleError(record)
+def _enable_progress_logging(verbose: bool = False) -> None:
+    """Surface the library's progress on stderr (INFO, or DEBUG when verbose)."""
+    logger = logging.getLogger("devnomads")
+    logger.setLevel(logging.DEBUG if verbose else logging.INFO)
+    if not any(isinstance(h, _ProgressHandler) for h in logger.handlers):
+        logger.addHandler(_ProgressHandler())
 class KeyType(str, Enum):
     """Certificate key types. ECDSA is the default; RSA on request."""
@@ -1384,6 +1409,13 @@ class KeyType(str, Enum):
     rsa4096 = "rsa4096"
+class ExportFormat(str, Enum):
+    """Bundle formats for `cert export`."""
+    pem = "pem"
+    pfx = "pfx"
 def _load_acme() -> Any:
     """Import devnomads.acme lazily, so non-cert commands skip the ACME
     stack at startup."""
@@ -1477,10 +1509,26 @@ def _write_cert_files(
         (out_dir / name).write_text(content)
+def _first_cert(pem: str) -> str:
+    """The first PEM certificate block in ``pem`` (the issuing intermediate
+    of a chain), or "" if there is none."""
+    begin = "-----BEGIN CERTIFICATE-----"
+    end = "-----END CERTIFICATE-----"
+    start = pem.find(begin)
+    if start == -1:
+        return ""
+    stop = pem.find(end, start)
+    if stop == -1:
+        return ""
+    return pem[start : stop + len(end)] + "\n"
 def _combined_pem(privkey: str, leaf: str, chain: str) -> str:
-    """One PEM bundle: key, then certificate, then intermediate(s)."""
+    """One PEM bundle of exactly three blocks: key, then leaf certificate,
+    then the single issuing intermediate (the rest of the chain is dropped)."""
-    parts = [privkey, leaf, chain]
+    parts = [privkey, leaf, _first_cert(chain)]
     return "".join(p if p.endswith("\n") else p + "\n" for p in parts if p)
@@ -1490,6 +1538,47 @@ def _export_combined_pem(path: Path, *, privkey: str, leaf: str, chain: str) ->
     _write_private(path, _combined_pem(privkey, leaf, chain))
+def _export_pkcs12(
+    path: Path,
+    *,
+    privkey: str,
+    leaf: str,
+    chain: str,
+    name: str,
+    passphrase: str | None = None,
+) -> None:
+    """Write a PKCS#12 (.pfx) bundle of key + leaf + single intermediate at
+    0600. Unencrypted unless ``passphrase`` is given."""
+    from cryptography import x509
+    from cryptography.hazmat.primitives import serialization
+    from cryptography.hazmat.primitives.asymmetric import ec, rsa
+    from cryptography.hazmat.primitives.serialization import pkcs12
+    try:
+        key = serialization.load_pem_private_key(privkey.encode(), password=None)
+        cert = x509.load_pem_x509_certificate(leaf.encode())
+        intermediate = _first_cert(chain)
+        cas = (
+            [x509.load_pem_x509_certificate(intermediate.encode())]
+            if intermediate
+            else None
+        )
+    except ValueError as exc:
+        raise CliError(f"could not read stored certificate files: {exc}") from exc
+    if not isinstance(key, (rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey)):
+        raise CliError("unsupported private key type for pfx export")
+    encryption = (
+        serialization.BestAvailableEncryption(passphrase.encode())
+        if passphrase
+        else serialization.NoEncryption()
+    )
+    blob = pkcs12.serialize_key_and_certificates(
+        name.encode(), key, cert, cas, encryption
+    )
+    _write_private_bytes(path, blob)
 def _cert_info(cert_path: Path) -> dict[str, Any]:
     """Summarize a stored leaf certificate for `cert list`."""
@@ -1535,19 +1624,26 @@ def _issue_certificate(
     staging: bool,
     out_dir: Path,
     export_path: Path | None = None,
+    verbose: bool = False,
 ) -> None:
     """Obtain a DNS-01 certificate for ``domain`` and write it to ``out_dir``;
     optionally also export a single combined PEM to ``export_path``."""
     acme = _load_acme()
-    _assert_dns_authority(state, [domain, *sans])
+    _enable_progress_logging(verbose)
+    names = [domain, *sans]
+    err_console.print(f"checking {len(names)} name(s) are delegated to DevNomads")
+    _assert_dns_authority(state, names)
     directory_url = LE_STAGING_DIRECTORY if staging else acme.DEFAULT_DIRECTORY_URL
+    err_console.print(f"using ACME directory {directory_url}")
     client = acme.AcmeClient(
         str(_account_key_path()),
         directory_url=directory_url,
         contact_email=email,
     )
+    err_console.print(f"generating {key_type} certificate key")
     try:
         domain_key = acme.generate_key(key_type)
     except acme.AcmeError as exc:
@@ -1624,6 +1720,10 @@ def cert_issue(
             "intermediate) to this file.",
         ),
     ] = None,
+    verbose: Annotated[
+        bool,
+        typer.Option("--verbose", "-v", help="Show detailed ACME progress."),
+    ] = False,
 ) -> None:
     """Issue a TLS certificate for a domain via ACME (Let's Encrypt, DNS-01)."""
@@ -1649,6 +1749,7 @@ def cert_issue(
         staging=staging,
         out_dir=out_dir,
         export_path=out,
+        verbose=verbose,
     )
@@ -1692,6 +1793,10 @@ def cert_renew(
     staging: Annotated[
         bool, typer.Option("--staging", help="Use the Let's Encrypt staging CA.")
     ] = False,
+    verbose: Annotated[
+        bool,
+        typer.Option("--verbose", "-v", help="Show detailed ACME progress."),
+    ] = False,
 ) -> None:
     """Re-issue certificates that expire within 30 days; skip the rest."""
@@ -1720,6 +1825,7 @@ def cert_renew(
             key_type=key_type.value,
             staging=staging,
             out_dir=out_dir,
+            verbose=verbose,
         )
@@ -1762,11 +1868,26 @@ def cert_export(
         Path | None,
         typer.Option(
             "--out",
-            help="Write the bundle here (0600); omit to print to stdout.",
+            help="Write the bundle here (0600); omit to print to stdout (pem only).",
+        ),
+    ] = None,
+    fmt: Annotated[
+        ExportFormat,
+        typer.Option("--format", help="Bundle format: pem or pfx (PKCS#12)."),
+    ] = ExportFormat.pem,
+    passphrase: Annotated[
+        str | None,
+        typer.Option(
+            "--passphrase",
+            "--password",
+            help="Encrypt the pfx with this passphrase (default: none).",
         ),
     ] = None,
 ) -> None:
-    """Re-export an issued certificate as one PEM (key + cert + intermediate)."""
+    """Re-export an issued certificate as one bundle (key + cert + intermediate).
+    The default PEM bundle is three blocks; --format pfx writes a PKCS#12 file.
+    """
     cert_dir = _cert_dir(domain)
     privkey = cert_dir / "privkey.pem"
@@ -1780,6 +1901,23 @@ def cert_export(
     key_text = privkey.read_text()
     leaf_text = leaf.read_text()
     chain_text = chain.read_text() if chain.is_file() else ""
+    if fmt is ExportFormat.pfx:
+        if out is None:
+            raise CliError("--out is required for pfx (it is a binary file)")
+        _export_pkcs12(
+            out,
+            privkey=key_text,
+            leaf=leaf_text,
+            chain=chain_text,
+            name=domain,
+            passphrase=passphrase,
+        )
+        err_console.print(f"exported pkcs12 bundle to {out}")
+        return
+    if passphrase is not None:
+        raise CliError("--passphrase only applies to --format pfx")
     if out is not None:
         _export_combined_pem(out, privkey=key_text, leaf=leaf_text, chain=chain_text)
         err_console.print(f"exported combined pem to {out}")

{devnomads_cli-0.5.0 → devnomads_cli-0.5.1}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "devnomads-cli"
-version = "0.5.0"
+version = "0.5.1"
 description = "Manage your DevNomads services from the command line"
 readme = "README.md"
 requires-python = ">=3.10"

{devnomads_cli-0.5.0 → devnomads_cli-0.5.1}/tests/test_cert.py RENAMED Viewed

@@ -11,7 +11,10 @@ from dncli import app
 runner = CliRunner()
 LEAF = "-----BEGIN CERTIFICATE-----\nLEAF\n-----END CERTIFICATE-----\n"
-CHAIN = "-----BEGIN CERTIFICATE-----\nCHAIN\n-----END CERTIFICATE-----\n"
+INTERMEDIATE = "-----BEGIN CERTIFICATE-----\nINTER\n-----END CERTIFICATE-----\n"
+ROOT = "-----BEGIN CERTIFICATE-----\nROOT\n-----END CERTIFICATE-----\n"
+# Let's Encrypt returns a multi-cert chain (intermediate + cross-signs/roots).
+CHAIN = INTERMEDIATE + ROOT
 FULLCHAIN = LEAF + CHAIN
 KEY = b"-----BEGIN PRIVATE KEY-----\nKEY\n-----END PRIVATE KEY-----\n"
@@ -82,7 +85,7 @@ def _write_cert(cert_dir, *, days, with_key_chain=False):
                 serialization.NoEncryption(),
             )
         )
-        (cert_dir / "chain.pem").write_text("CHAINPEM\n")
+        (cert_dir / "chain.pem").write_text(INTERMEDIATE + ROOT)
     return cert
@@ -193,11 +196,15 @@ def test_issue_out_exports_combined_pem(
     out = tmp_path / "bundle.pem"
     result = runner.invoke(app, ["cert", "issue", "example.com", "--out", str(out)])
     assert result.exit_code == 0, result.output
-    # the default per-domain dir is still written...
+    # the default per-domain dir is still written (with the full chain)...
     default_dir = dncli.config_dir() / "certs" / "example.com"
     assert (default_dir / "fullchain.pem").read_text() == FULLCHAIN
-    # ...and the combined file has key, then leaf, then intermediate, in order.
-    assert out.read_text() == KEY.decode() + LEAF + CHAIN
+    assert (default_dir / "chain.pem").read_text() == CHAIN
+    # ...and the combined file is exactly key + leaf + first intermediate,
+    # i.e. the rest of the chain (roots) is dropped.
+    assert out.read_text() == KEY.decode() + LEAF + INTERMEDIATE
+    assert ROOT not in out.read_text()
+    assert out.read_text().count("BEGIN CERTIFICATE") == 2
     assert stat.S_IMODE(out.stat().st_mode) == 0o600
@@ -210,10 +217,23 @@ def test_our_zone_for_matches_longest_suffix():
     assert dncli._our_zone_for("other.org", zones) is None
-def test_export_combined_pem_order_and_mode(tmp_path):
+def test_first_cert_takes_only_the_intermediate():
+    assert dncli._first_cert(INTERMEDIATE + ROOT) == INTERMEDIATE
+    assert dncli._first_cert("no cert here") == ""
+def test_combined_pem_is_three_blocks(tmp_path):
+    bundle = dncli._combined_pem(KEY.decode(), LEAF, INTERMEDIATE + ROOT)
+    assert bundle == KEY.decode() + LEAF + INTERMEDIATE
+    assert bundle.count("BEGIN CERTIFICATE") == 2  # leaf + one intermediate
+def test_export_combined_pem_mode(tmp_path):
     out = tmp_path / "bundle.pem"
-    dncli._export_combined_pem(out, privkey="KEY\n", leaf="LEAF\n", chain="CHAIN\n")
-    assert out.read_text() == "KEY\nLEAF\nCHAIN\n"
+    dncli._export_combined_pem(
+        out, privkey=KEY.decode(), leaf=LEAF, chain=INTERMEDIATE + ROOT
+    )
+    assert out.read_text() == KEY.decode() + LEAF + INTERMEDIATE
     assert stat.S_IMODE(out.stat().st_mode) == 0o600
@@ -389,12 +409,11 @@ def test_cert_export_to_file(configured, isolated_config, tmp_path):
     result = runner.invoke(app, ["cert", "export", "example.com", "--out", str(out)])
     assert result.exit_code == 0, result.output
     text = out.read_text()
-    # order: private key, then leaf certificate, then intermediate
-    assert (
-        text.index("EC PRIVATE KEY")
-        < text.index("CERTIFICATE")
-        < text.index("CHAINPEM")
-    )
+    # order: private key, then leaf certificate, then the one intermediate
+    assert text.index("EC PRIVATE KEY") < text.index("INTER")
+    # only the first intermediate (not the root), and exactly three blocks
+    assert "ROOT" not in text
+    assert text.count("BEGIN CERTIFICATE") == 2
     assert stat.S_IMODE(out.stat().st_mode) == 0o600
@@ -405,10 +424,127 @@ def test_cert_export_to_stdout(configured, isolated_config):
     result = runner.invoke(app, ["cert", "export", "example.com"])
     assert result.exit_code == 0, result.output
     assert "BEGIN CERTIFICATE" in result.stdout
-    assert "CHAINPEM" in result.stdout
+    assert "INTER" in result.stdout
+    assert "ROOT" not in result.stdout
 def test_cert_export_missing(isolated_config):
     result = runner.invoke(app, ["cert", "export", "nope.com"])
     assert result.exit_code != 0
     assert "no certificate" in result.output
+def test_cert_export_passphrase_rejected_for_pem(configured, isolated_config, tmp_path):
+    _write_cert(
+        dncli.config_dir() / "certs" / "example.com", days=30, with_key_chain=True
+    )
+    result = runner.invoke(
+        app,
+        [
+            "cert",
+            "export",
+            "example.com",
+            "--passphrase",
+            "x",
+            "--out",
+            str(tmp_path / "b.pem"),
+        ],
+    )
+    assert result.exit_code != 0
+    assert "pfx" in result.output
+def _write_real_chain(cert_dir):
+    """Write a real key + leaf + (intermediate, root) chain so PKCS#12 export,
+    which actually parses the certificates, has valid input."""
+    import datetime
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec
+    from cryptography.x509.oid import NameOID
+    def make(cn):
+        key = ec.generate_private_key(ec.SECP256R1())
+        now = datetime.datetime.now(datetime.timezone.utc)
+        name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)])
+        cert = (
+            x509.CertificateBuilder()
+            .subject_name(name)
+            .issuer_name(name)
+            .public_key(key.public_key())
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(now - datetime.timedelta(days=1))
+            .not_valid_after(now + datetime.timedelta(days=30))
+            .sign(key, hashes.SHA256())
+        )
+        return key, cert
+    leaf_key, leaf = make("example.com")
+    _, inter = make("Intermediate CA")
+    _, root = make("Root CA")
+    pem = serialization.Encoding.PEM
+    cert_dir.mkdir(parents=True, exist_ok=True)
+    (cert_dir / "cert.pem").write_bytes(leaf.public_bytes(pem))
+    (cert_dir / "privkey.pem").write_bytes(
+        leaf_key.private_bytes(
+            pem,
+            serialization.PrivateFormat.TraditionalOpenSSL,
+            serialization.NoEncryption(),
+        )
+    )
+    (cert_dir / "chain.pem").write_bytes(
+        inter.public_bytes(pem) + root.public_bytes(pem)
+    )
+    return leaf, inter, root
+def test_cert_export_pfx_no_passphrase(configured, isolated_config, tmp_path):
+    from cryptography.hazmat.primitives.serialization import pkcs12
+    leaf, inter, root = _write_real_chain(dncli.config_dir() / "certs" / "example.com")
+    out = tmp_path / "bundle.pfx"
+    result = runner.invoke(
+        app, ["cert", "export", "example.com", "--format", "pfx", "--out", str(out)]
+    )
+    assert result.exit_code == 0, result.output
+    key, cert, cas = pkcs12.load_key_and_certificates(out.read_bytes(), None)
+    assert key is not None
+    assert cert.subject == leaf.subject
+    # only the issuing intermediate, not the root
+    assert [c.subject for c in cas] == [inter.subject]
+    assert stat.S_IMODE(out.stat().st_mode) == 0o600
+def test_cert_export_pfx_with_passphrase(configured, isolated_config, tmp_path):
+    from cryptography.hazmat.primitives.serialization import pkcs12
+    _write_real_chain(dncli.config_dir() / "certs" / "example.com")
+    out = tmp_path / "bundle.pfx"
+    result = runner.invoke(
+        app,
+        [
+            "cert",
+            "export",
+            "example.com",
+            "--format",
+            "pfx",
+            "--out",
+            str(out),
+            "--password",
+            "s3cret",
+        ],
+    )
+    assert result.exit_code == 0, result.output
+    with pytest.raises(ValueError):  # wrong/no password must fail
+        pkcs12.load_key_and_certificates(out.read_bytes(), None)
+    key, cert, cas = pkcs12.load_key_and_certificates(out.read_bytes(), b"s3cret")
+    assert key is not None
+def test_cert_export_pfx_requires_out(configured, isolated_config):
+    _write_real_chain(dncli.config_dir() / "certs" / "example.com")
+    result = runner.invoke(app, ["cert", "export", "example.com", "--format", "pfx"])
+    assert result.exit_code != 0
+    assert "out" in result.output.lower()