How to generate CA cert
derust opened this issue · 3 comments
derust commented
How to generate CA cert like hudsucker.pem
It seems CA cert generate with mkcert doesn't work
thanks!
omjadas commented
Hi,
I suspect you might be running into rustls/rcgen#59. If you are there are two options to work around it:
- Use
OpensslAuthority
(requires theopenssl-certs
feature to be enabled and OpenSSL to be installed) - Use
rcgen
to generate the CA cert (can be done with something akin to the following)
use rcgen::*;
use std::fs;
pub fn main() {
let mut params = CertificateParams::default();
let mut distinguished_name = DistinguishedName::new();
distinguished_name.push(DnType::CommonName, "Hudsucker Industries");
distinguished_name.push(DnType::OrganizationName, "Hudsucker Industries");
distinguished_name.push(DnType::CountryName, "US");
distinguished_name.push(DnType::StateOrProvinceName, "NY");
distinguished_name.push(DnType::LocalityName, "NYC");
params.distinguished_name = distinguished_name;
params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
params.key_usages = vec![
KeyUsagePurpose::KeyCertSign,
KeyUsagePurpose::CrlSign,
];
let cert = Certificate::from_params(params).unwrap();
let private_key = cert.serialize_private_key_pem();
fs::write("cert.pem", cert.serialize_pem().unwrap()).unwrap();
fs::write("private.key", private_key).unwrap();
}
derust commented
Got it, thanks!
It seams I should waiting rustls ecosystem to be more mature to totally replace openssl.
omjadas commented
This should be fixed in v0.11.1, which bumps https://github.com/est31/rcgen to 0.9