package x509

  1. Overview
  2. Docs
On This Page
  1. Signing

Module X509.CASource

Certificate Authority operations

Signing

type signing_request

The abstract type of a (self-signed) PKCS 10 certification request, with encoding and decoding to PEM.

type request_extensions = [
  1. | `Password of string
  2. | `Name of string
  3. | `Extensions of (bool * Extension.t) list
]

The polymorphic variant of certificate request extensions, as defined in PKCS 9 (RFC 2985).

type request_info = {
  1. subject : distinguished_name;
  2. public_key : public_key;
  3. extensions : request_extensions list;
}

The raw request info of a PKCS 10 certification request info.

info signing_request is request_info, the information inside the signing_request.

val request : distinguished_name -> ?digest:Nocrypto.Hash.hash -> ?extensions:request_extensions list -> private_key -> signing_request

request subject ~digest ~extensions private creates signing_request, a certification request using the given subject, digest (defaults to `SHA256) and list of extensions.

val sign : signing_request -> valid_from:Ptime.t -> valid_until:Ptime.t -> ?digest:Nocrypto.Hash.hash -> ?serial:Z.t -> ?extensions:(bool * Extension.t) list -> private_key -> distinguished_name -> t

sign signing_request ~digest ~valid_from ~valid_until ~serial ~extensions private issuer creates certificate, a signed certificate. Public key and subject are taken from the signing_request, the extensions are added to the X.509 certificate. The private key is used to sign the certificate, the issuer is recorded in the certificate. The digest defaults to `SHA256. The serial defaults to a random value between 1 and 2^64. Certificate version is always 3. Please note that the extensions in the signing_request are ignored, you can pass them using:

match
  try Some (List.find (function `Extensions _ -> true | _ -> false) (info csr).extensions)
  with Not_found -> None
with
 | Some (`Extensions x) -> x
 | None -> []