Library
Module
Module type
Parameter
Class
Class type
A certificate authority (CA) deals with PKCS 10 certificate signing requests, their construction and encoding, and provisioning using a private key to generate a certificate with a signature thereof.
val decode_der :
?hash_whitelist:Mirage_crypto.Hash.hash list ->
Cstruct.t ->
(t, [> Rresult.R.msg ]) Rresult.result
decode_der ~hash_whitelist cstruct
is signing_request
, the ASN.1 decoded cstruct
or an error. The signature on the signing request is validated, and its hash algorithm must be in hash_whitelist
(by default only SHA-2 is accepted).
encode_der sr
is cstruct
, the ASN.1 encoded representation of the sr
.
val decode_pem : Cstruct.t -> (t, [> Rresult.R.msg ]) Rresult.result
decode_pem pem
is t
, where the single signing request of the pem
is extracted
module Ext : sig ... end
The raw request info of a PKCS 10 certification request info.
val info : t -> request_info
info signing_request
is request_info
, the information inside the signing_request
.
val signature_algorithm :
t ->
([ `RSA | `ECDSA ] * Mirage_crypto.Hash.hash) option
signature_algorithm signing_request
is the algorithm used for the signature.
val hostnames : t -> Host.Set.t
hostnames signing_request
is the set of domain names this signing_request
is requesting. This is either the content of the DNS entries of the SubjectAlternativeName extension, or the common name of the signing_request
.
val create :
Distinguished_name.t ->
?digest:Mirage_crypto.Hash.hash ->
?extensions:Ext.t ->
Private_key.t ->
t
create subject ~digest ~extensions private
creates signing_request
, a certification request using the given subject
, digest
(defaults to `SHA256
) and list of extensions
.
val sign :
t ->
valid_from:Ptime.t ->
valid_until:Ptime.t ->
?hash_whitelist:Mirage_crypto.Hash.hash list ->
?digest:Mirage_crypto.Hash.hash ->
?serial:Z.t ->
?extensions:Extension.t ->
Private_key.t ->
Distinguished_name.t ->
(Certificate.t, [> Validation.signature_error ]) Rresult.result
sign signing_request ~valid_from ~valid_until ~hash_whitelist ~digest ~serial ~extensions private issuer
creates certificate
, a signed certificate. Signing can fail if the signature on the signing_request
is invalid, or its hash algorithm does not occur in hash_whitelist
(default all SHA-2 algorithms). Public key and subject are taken from the signing_request
, the extensions
are added to the X.509 certificate. The private
key is used to sign the certificate, the issuer
is recorded in the certificate. The digest defaults to `SHA256
. The serial
defaults to a random value between 1 and 2^64. Certificate version is always 3. Please note that the extensions in the signing_request
are ignored, you can pass them using:
match Ext.find Extensions (info csr).extensions with
| Ok ext -> ext
| Error _ -> Extension.empty