Library
Module
Module type
Parameter
Class
Class type
A certificate authority (CA) deals with PKCS 10 certificate signing requests, their construction and encoding, and provisioning using a private key to generate a certificate with a signature thereof.
val decode_der :
?allowed_hashes:Digestif.hash' list ->
string ->
(t, [> `Msg of string ]) Stdlib.result
decode_der ~allowed_hashes octets
is signing_request
, the ASN.1 decoded octets
or an error. The signature on the signing request is validated, and its hash algorithm must be in allowed_hashes
(by default only SHA-2 is accepted).
val encode_der : t -> string
encode_der sr
is octets
, the ASN.1 encoded representation of the sr
.
val decode_pem : string -> (t, [> `Msg of string ]) Stdlib.result
decode_pem pem
is t
, where the single signing request of the pem
is extracted
val encode_pem : t -> string
encode_pem signing_request
is pem
, the pem encoded signing request.
module Ext : sig ... end
The raw request info of a PKCS 10 certification request info.
val info : t -> request_info
info signing_request
is request_info
, the information inside the signing_request.
val signature_algorithm :
t ->
(Key_type.signature_scheme * Digestif.hash') option
signature_algorithm signing_request
is the algorithm used for the signature.
val hostnames : t -> Host.Set.t
hostnames signing_request
is the set of domain names this signing_request
is requesting. This is either the content of the DNS entries of the SubjectAlternativeName extension, or the common name of the signing_request
.
val create :
Distinguished_name.t ->
?digest:Digestif.hash' ->
?extensions:Ext.t ->
Private_key.t ->
(t, [> `Msg of string ]) Stdlib.result
create subject ~digest ~extensions private
creates signing_request
, a certification request using the given subject
, digest
(defaults to `SHA256
) and list of extensions
.
val sign :
t ->
valid_from:Ptime.t ->
valid_until:Ptime.t ->
?allowed_hashes:Digestif.hash' list ->
?digest:Digestif.hash' ->
?serial:string ->
?extensions:Extension.t ->
?subject:Distinguished_name.t ->
Private_key.t ->
Distinguished_name.t ->
(Certificate.t, Validation.signature_error) Stdlib.result
sign signing_request ~valid_from ~valid_until ~allowed_hashes ~digest ~serial ~extensions ~subject private issuer
creates certificate
, a signed certificate. Signing can fail if the signature on the signing_request
is invalid, or its hash algorithm does not occur in allowed_hashes
(default all SHA-2 algorithms). Public key and subject are taken from the signing_request
unless subject
is passed, the extensions
are added to the X.509 certificate. The private
key is used to sign the certificate, the issuer
is recorded in the certificate. The digest defaults to `SHA256
. The serial
defaults to a random value between 1 and 2^64. Certificate version is always 3. Please note that the extensions in the signing_request
are ignored, you can pass them using:
match Ext.find Extensions (info csr).extensions with
| Ok ext -> ext
| Error _ -> Extension.empty