Skip to content

Commit

Permalink
Add example of generating a cert chain
Browse files Browse the repository at this point in the history
Generate two certificates and sign the second with the first.
  • Loading branch information
tbro authored and cpu committed Oct 11, 2023
1 parent 948c3b5 commit aa2caf9
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 0 deletions.
4 changes: 4 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ required-features = ["pem"]
name = "rsa-irc-openssl"
required-features = ["pem"]

[[example]]
name = "sign-leaf-with-ca"
required-features = ["pem", "x509-parser"]

[dependencies]
yasna = { version = "0.5.2", features = ["time", "std"] }
ring = "0.17"
Expand Down
58 changes: 58 additions & 0 deletions examples/sign-leaf-with-ca.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
use rcgen::{
BasicConstraints, Certificate, CertificateParams, DnType, DnValue::PrintableString,
ExtendedKeyUsagePurpose, IsCa, KeyUsagePurpose,
};
use time::{Duration, OffsetDateTime};

/// Example demonstrating signing end-endity certificate with ca
fn main() {
let ca = new_ca();
let end_entity = new_end_entity();

let end_entity_pem = end_entity.serialize_pem_with_signer(&ca).unwrap();
println!("directly signed end-entity certificate: {end_entity_pem}");

let ca_cert_pem = ca.serialize_pem().unwrap();
println!("ca certificate: {ca_cert_pem}",);
}

fn new_ca() -> Certificate {
let mut params = CertificateParams::new(Vec::default());
let (yesterday, tomorrow) = validity_period();
params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
params
.distinguished_name
.push(DnType::CountryName, PrintableString("BR".into()));
params
.distinguished_name
.push(DnType::OrganizationName, "Crab widgits SE");
params.key_usages.push(KeyUsagePurpose::DigitalSignature);
params.key_usages.push(KeyUsagePurpose::KeyCertSign);
params.key_usages.push(KeyUsagePurpose::CrlSign);

params.not_before = yesterday;
params.not_after = tomorrow;
Certificate::from_params(params).unwrap()
}

fn new_end_entity() -> Certificate {
let name = "entity.other.host";
let mut params = CertificateParams::new(vec![name.into()]);
let (yesterday, tomorrow) = validity_period();
params.distinguished_name.push(DnType::CommonName, name);
params.use_authority_key_identifier_extension = true;
params.key_usages.push(KeyUsagePurpose::DigitalSignature);
params
.extended_key_usages
.push(ExtendedKeyUsagePurpose::ServerAuth);
params.not_before = yesterday;
params.not_after = tomorrow;
Certificate::from_params(params).unwrap()
}

fn validity_period() -> (OffsetDateTime, OffsetDateTime) {
let day = Duration::new(86400, 0);
let yesterday = OffsetDateTime::now_utc().checked_sub(day).unwrap();
let tomorrow = OffsetDateTime::now_utc().checked_add(day).unwrap();
(yesterday, tomorrow)
}

0 comments on commit aa2caf9

Please sign in to comment.