X.509 certificate (RFC5280) library
Module X509 . CA


type signing_request

The abstract type of a (self-signed) PKCS 10 certification request, with encoding and decoding to PEM.

type request_extensions = [
| `Password of string
| `Name of string
| `Extensions of (bool * Extension.t) list

The polymorphic variant of certificate request extensions, as defined in PKCS 9 (RFC 2985).

type request_info = {
subject : distinguished_name;
public_key : public_key;
extensions : request_extensions list;

The raw request info of a PKCS 10 certification request info.

info signing_request is request_info, the information inside the signing_request.

val request : distinguished_name -> ?digest:Nocrypto.Hash.hash -> ?extensions:request_extensions list -> private_key -> signing_request

request subject ~digest ~extensions private creates signing_request, a certification request using the given subject, digest (defaults to `SHA256) and list of extensions.

val sign : signing_request -> valid_from:Asn.Time.t -> valid_until:Asn.Time.t -> ?digest:Nocrypto.Hash.hash -> ?serial:Z.t -> ?extensions:(bool * Extension.t) list -> private_key -> distinguished_name -> t

sign signing_request ~digest ~valid_from ~valid_until ~serial ~extensions private issuer creates certificate, a signed certificate. Public key and subject are taken from the signing_request, the extensions are added to the X.509 certificate. The private key is used to sign the certificate, the issuer is recorded in the certificate. The digest defaults to `SHA256. The serial defaults to a random value between 1 and 2^64. Certificate version is always 3. Please note that the extensions in the signing_request are ignored, you can pass them using:

  try Some (List.find (function `Extensions _ -> true | _ -> false) (info csr).extensions)
  with Not_found -> None
 | Some (`Extensions x) -> x
 | None -> []