[go: up one dir, main page]

rcgen 0.14.1

Rust X.509 certificate generator
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

# Rcgen 0.12 to 0.13 Migration Guide

This document is a meant to be a helpful guide for some of the API changes made
between rcgen 0.12 and 0.13. For information on other changes in 0.13 see
[rcgen/CHANGELOG.md].

## Key Pairs

* Previously it was possible to have certificate generation automatically create
  a subject `KeyPair` for you by leaving the `key_pair` field of
  `CertificateParams` empty, and retrieving the generated `KeyPair` from
  a `Certificate` created with the `CertificateParams` by calling
  `Certificate::get_key_pair()`.

  To offer more consistency and to keep the `CertificateParams` and `Certificate`
  types from holding private key data, the new API requires you handle `KeyPair`
  creation yourself. See `CertifiedKey`, `KeyPair::generate()`,
  `KeyPair::generate_for()` and `KeyPair::generate_rsa_for()` for more information.

* Serializing a `Certificate`'s `KeyPair` to DER or PEM was previously done by
  calling `Certificate::serialize_private_key_der()` or
  `Certificate::serialize_private_key_pem()`. This is now handled by calling
  `KeyPair::serialize_der()` or `KeyPair::serialize_pem()`.

## Certificates

* For quick-and-easy self-signed certificate issuance,
  `generate_simple_self_signed` now returns a `CertifiedKey` in the success case
  instead of a `Certificate`. The self-signed `Certificate` can be accessed in
  the `cert` field of `CertifiedKey`, and the generated subject key pair in
  `key_pair`.

* Custom self-signed certificate issuance was previously done by
  constructing `CertificateParams` and calling `Certificate::from_params()` to
  create a `Certificate`. This is now done by calling
  `CertificateParams::self_signed()`, providing a subject `KeyPair` of your
  choosing.

* Custom certificate issuance signed by an issuer was previously done by
  constructing `CertificateParams`, calling `Certificate::from_params()` and
  then choosing the issuer at serialization time. This is now done ahead of
  serialization by calling `CertificateParams::signed_by()` and providing
  a subject `KeyPair` as well as an issuer `Certificate` and `KeyPair`.

* Previously certificate serialization was done by calling
  `Certificate::serialize_der()`, `Certificate::serialize_pem()`,
  `Certificate::serialize_der_with_signer()` or
  `Certificate::serialize_pem_with_signer()`. Each time a serialization fn was
  called a new certificate was issued, leading to confusion when it was desired
  to serialize the same certificate in two formats. In the new API issuance is
  handled by `CertificateParams` fns and the generated `Certificate` will not change
  when serialized. You can serialize it to PEM by calling `Certificate::pem()`,
  or access the DER encoding by calling `Certificate::der()`.

## Certificate Signing Requests (CSRs)

* Previously it was only possible to create a new CSR by first issuing
  a `Certificate` from `CertificateParams`, and calling
  `Certificate::serialize_request_pem()` or
  `Certificate::serialize_request_der()`. In the updated API you can create
  a `CertificateSigningRequest` directly from `CertificateParams` by calling
  `CertificateParams::serialize_request` and providing a subject `KeyPair`. You
  may serialize the CSR to DER or PEM by calling
  `CertificateSigningRequest::der()` or `CertificateSingingRequest::pem()`.

* To load a CSR from an existing PEM/DER copy with the old API required
  calling `CertificateSingingRequest::from_pem()` or
  `CertificateSigningRequest::from_der()`. The new API introduces
  a `CertificateSingingRequestParams` type that can be created using
  `CertificateSigningRequestParams::from_pem()` or
  `CertificateSingingRequest::from_der()`.

* To issue a certificate from an existing CSR with the old API required calling
  `CertificateSigningRequest::serialize_der_with_signer()` or
  `CertificateSigningRequest::serialize_pem_with_signer()`. In the new API, call
  `CertificateSigningRequestParams::signed_by()` and provide an issuer
  `Certificate` and `KeyPair`.

## Certificate Revocation Lists (CRLs)

* Previously a `CertificateRevocationList` was created by calling
  `CertificateRevocationList::from_params()`. This is now done by calling
  `CertificateRevocationListParams::signed_by()` and providing an issuer
  `Certificate` and `KeyPair`.

* Previously a created `CertificateRevocationList` could be serialized to DER or
  PEM by calling `CertificateRevocationList::serialize_der_with_signer()` or
  `CertificateRevocationList::serialize_pem_with_signer()`. This is now done by
  calling `CertificateRevocationList::der()` or
  `CertificateRevocationList::pem()`.