Library
Module
Module type
Parameter
Class
Class type
A certificate authority (CA) deals with PKCS 10 certificate signing requests, their construction and encoding, and provisioning using a private key to generate a certificate with a signature thereof.
val decode_der :
?hash_whitelist:Mirage_crypto.Hash.hash list ->
Cstruct.t ->
(t, [> Rresult.R.msg ]) Rresult.result
decode_der ~hash_whitelist cstruct
is signing_request
, the ASN.1 decoded cstruct
or an error. The signature on the signing request is validated, and its hash algorithm must be in hash_whitelist
(by default only SHA-2 is accepted).
encode_der sr
is cstruct
, the ASN.1 encoded representation of the sr
.
val decode_pem : Cstruct.t -> (t, [> Rresult.R.msg ]) Rresult.result
decode_pem pem
is t
, where the single signing request of the pem
is extracted
module Ext : sig ... end
The raw request info of a PKCS 10 certification request info.
val info : t -> request_info
info signing_request
is request_info
, the information inside the signing_request
.
val signature_algorithm :
t ->
([ `RSA | `ECDSA | `ED25519 ] * Mirage_crypto.Hash.hash) option
signature_algorithm signing_request
is the algorithm used for the signature.
val hostnames : t -> Host.Set.t
hostnames signing_request
is the set of domain names this signing_request
is requesting. This is either the content of the DNS entries of the SubjectAlternativeName extension, or the common name of the signing_request
.
val create :
Distinguished_name.t ->
?digest:Mirage_crypto.Hash.hash ->
?extensions:Ext.t ->
Private_key.t ->
t
create subject ~digest ~extensions private
creates signing_request
, a certification request using the given subject
, digest
(defaults to `SHA256
) and list of extensions
.
val sign :
t ->
valid_from:Ptime.t ->
valid_until:Ptime.t ->
?hash_whitelist:Mirage_crypto.Hash.hash list ->
?digest:Mirage_crypto.Hash.hash ->
?serial:Z.t ->
?extensions:Extension.t ->
?subject:Distinguished_name.t ->
Private_key.t ->
Distinguished_name.t ->
(Certificate.t, [> Validation.signature_error ]) Rresult.result
sign signing_request ~valid_from ~valid_until ~hash_whitelist ~digest ~serial ~extensions ~subject private issuer
creates certificate
, a signed certificate. Signing can fail if the signature on the signing_request
is invalid, or its hash algorithm does not occur in hash_whitelist
(default all SHA-2 algorithms). Public key and subject are taken from the signing_request
unless subject
is passed, the extensions
are added to the X.509 certificate. The private
key is used to sign the certificate, the issuer
is recorded in the certificate. The digest defaults to `SHA256
. The serial
defaults to a random value between 1 and 2^64. Certificate version is always 3. Please note that the extensions in the signing_request
are ignored, you can pass them using:
match Ext.find Extensions (info csr).extensions with
| Ok ext -> ext
| Error _ -> Extension.empty