CertifiedIssuer::from_ca_cert_{pem,der}?Β #375
Description
While upgrading from 0.13 to 0.14, I ran into some difficulties trying to keep the old functionality. Specifically, I would like to have access to the issuer certificate while generating a leaf certificate.
Scouring the changelogs and documentation, I did find CertifiedIssuer which seems to be what I need. Unfortunately I couldn't find a way to load an existing certificate like you can with Issuer (Issuer::from_ca_cert_{pem,der}). So here's the feature request.
Here's a slimmed-down version of my current code using rcgen-0.13:
fn main() -> Result<()> {
let issuer = load_issuer("path/to/issuer.crt", "path/to/issuer.key")?;
let leaf = generate(&issuer)?;
dbg!(leaf);
}
fn load_issuer(cert_pem: &str, key_pem: &str) -> Result<CertifiedKey> {
let key_pair = KeyPair::from_pem(key_pem)?;
let cert = {
let mut params = CertificateParams::from_ca_cert_pem(cert_pem)?;
// https://github.com/rustls/rcgen/issues/274#issuecomment-2121969453
params.self_signed(&key_pair)?
};
// various checks omitted here ...
Ok(CertifiedKey { cert, key_pair })
}
pub fn generate(issuer: &CertifiedKey) -> Result<CertifiedKey> {
let params = {
let issuer_params = issuer.cert.params();
let mut params = CertificateParams::new([])?;
// set certificate expiry to match issuer
params.not_before = issuer_params.not_before;
params.not_after = issuer_params.not_after;
// set other certificate params ...
params
};
let key_pair = KeyPair::generate_for(&PKCS_ED25519)?;
let cert = params.signed_by(&key_pair, &issuer.cert, &issuer.key_pair)?;
Ok(CertifiedKey { cert, key_pair })
}I would like to update load_issuer to return a CertifiedIssuer (and ideally get rid of the self-signing hack), so that I can read from the issuer certificate in generate. But without CertifiedIssuer::from_ca_cert_{pem,der} I don't think it's possible.