After a great deal of discussion, under the Subject line of "frozenset C API?" (you may have missed it :-), I'm coming to the conclusion that in revealing the fields of an SSL certificate, less is more.

From one of the messages in that thread:

I'm trying to give the application the ability to do some level of authorization without requiring either of those packages. Like being able to tell who's on the other side of the connection :-). Right now, I think the right fields to expose are "subject" (I see little point to exposing "issuer"), "notAfter" (you're always guaranteed to be after "notBefore", or the cert wouldn't validate, so I see little point to exposing that, but "notAfter" can be used after the connection has been established), subjectAltName if present, and perhaps the certificate's serial number. Remember that the cert has already been validated, so I don't see how the other fields in the cert can be profitably used for authorization and/or accounting, which is the purpose of this interface. Anything else you want, you can pull over the DER blob and look into it with some other crypto package; I'll provide a way to pull the full binary form of the certificate into Python as a bytes string (as soon as the bytes API gets backported into the trunk). Under those rules, the samples in the current documentation would look like {'notAfter': 'May 8 23:59:59 2009 GMT', 'serialNumber': '6A4AC31B3110E6EB48F0FC51A39A171F', 'subject': ((('serialNumber', u'2497886'),), (('1.3.6.1.4.1.311.60.2.1.3', u'US'),), (('1.3.6.1.4.1.311.60.2.1.2', u'Delaware'),), (('countryName', u'US'),), (('postalCode', u'94043'),), (('stateOrProvinceName', u'California'),), (('localityName', u'Mountain View'),), (('streetAddress', u'487 East Middlefield Road'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'Production Security Services'),), (('organizationalUnitName', u'Terms of use at www.verisign.com/rpa (c)06'),), (('commonName', u'www.verisign.com'),))} and {'notAfter': 'Feb 16 16:54:50 2013 GMT', 'serialNumber': 'FFAA4ADBF570818D', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Delaware'),), (('localityName', u'Wilmington'),), (('organizationName', u'Python Software Foundation'),), (('organizationalUnitName', u'SSL'),), (('commonName', u'somemachine.python.org'),))} The server cert at https://www.dcl.hpi.uni-potsdam.de/ would look like {'notAfter': 'Mar 17 13:02:27 2008 GMT', 'serialNumber': '2567F168000300000678', 'subject': ((('countryName', u'DE'),), (('stateOrProvinceName', u'Brandenburg'),), (('localityName', u'Potsdam'),), (('organizationName', u'Hasso-Plattner-Institut'),), (('organizationalUnitName', u'Operating Systems & Middleware'),), (('commonName', u'www.dcl.hpi.uni-potsdam.de'),)), 'subjectAltName': ('DNS:www.dcl.hpi.uni-potsdam.de', 'DNS:www', 'DNS:dfw', 'DNS:dfw.dcl.hpi.uni-potsdam.de', 'IP Address:141.89.224.164')} Thanks to Martin for suggesting it. Bill