PEP 748: certificate_chain is mandatory server-side

Julien00859 · Julien00859 · commit 89e8de4e7315 · 2026-05-12T22:13:56.000+02:00
TLS 1.3 and secure TLS 1.2 both require a certificate and private key
server-side. Making the parameter mandatory makes it explicit that one
is required. It still is optional client-side.
diff --git a/peps/pep-0748.rst b/peps/pep-0748.rst
@@ -316,6 +316,11 @@ A ``trust_store`` is mandatory and is used to validate the server certificates.
 It uses the system's trust store by default. Insecure connections are only
 possible via the :ref:`insecure` module.
 
+When ``certificate_chain`` is set, it is a single signing chain comprising a
+leaf client certificate including its corresponding private key and optionally a
+list of intermediate certificates. These certificates will be offered to the
+server during the handshake if required.
+
 Server Configuration
 ^^^^^^^^^^^^^^^^^^^^
 
@@ -335,7 +340,7 @@ The ``TLSServerConfiguration`` class would be defined by the following code:
 
         def __init__(
             self,
-            certificate_chain: Sequence[SigningChain] | None = None,
+            certificate_chain: Sequence[SigningChain],
             ciphers: Sequence[CipherSuite] | None = None,
             inner_protocols: Sequence[NextProtocol | bytes] | None = None,
             lowest_supported_version: TLSVersion | None = None,
@@ -353,7 +358,7 @@ The ``TLSServerConfiguration`` class would be defined by the following code:
             self._trust_store = trust_store
 
         @property
-        def certificate_chain(self) -> Sequence[SigningChain] | None:
+        def certificate_chain(self) -> Sequence[SigningChain]:
             return self._certificate_chain
 
         @property
@@ -376,6 +381,14 @@ The ``TLSServerConfiguration`` class would be defined by the following code:
         def trust_store(self) -> TrustStore | None:
             return self._trust_store
 
+Server authentication is mandatory, so the configuration must include
+at least one signing chain comprising a leaf server certificate including
+its corresponding private key and optionally a list of intermediate
+certificates. It is possible to set more than a single signing chain to
+support multiple virtual hosts. Implementations should raise ``ValueError``
+when no signing chain is provided. Insecure connections with server
+authentication disabled are only possible via the :ref:`insecure` module.
+
 A ``trust_store`` is optional. Setting one enables client authentication and
 uses the trust store to validate the client certificates. Leaving it ``None``
 disables client authentication.
