Skip to content

Commit 5f19737

Browse files
iamjpottsiamjpotts
committed
examples: add signing new cert using existing ca pem files
Signed-off-by: Joshua Potts <[email protected]>
1 parent 957a3d8 commit 5f19737

File tree

2 files changed

+86
-0
lines changed

2 files changed

+86
-0
lines changed

rcgen/Cargo.toml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,10 @@ required-features = ["pem"]
3939
name = "sign-leaf-with-ca"
4040
required-features = ["pem", "x509-parser"]
4141

42+
[[example]]
43+
name = "sign-leaf-with-pem-files"
44+
required-features = ["pem", "x509-parser"]
45+
4246
[[example]]
4347
name = "simple"
4448
required-features = ["crypto", "pem"]

rcgen/examples/sign-leaf-with-pem-files.rs

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
//! Generate a new certificate, and sign it with an existing root or
2+
//! intermediate certificate.
3+
//!
4+
//! Requires four positional command line arguments:
5+
//! * File path to PEM containing signer's key pair
6+
//! * File path to PEM containing signer's certificate
7+
//! * File path for generated PEM containing output key pair
8+
//! * File path for generated PEM containing output certificate
9+
10+
use std::error::Error;
11+
use std::fs;
12+
use std::path::PathBuf;
13+
14+
use rcgen::{CertificateParams, DnType, ExtendedKeyUsagePurpose, Issuer, KeyPair, KeyUsagePurpose};
15+
use time::{Duration, OffsetDateTime};
16+
17+
fn main() -> Result<(), Box<dyn Error>> {
18+
let mut args = std::env::args().skip(1);
19+
20+
let signer_keys_file = PathBuf::from(
21+
args.next()
22+
.ok_or("provide signer's pem keys file as 1st argument")?,
23+
);
24+
25+
let signer_cert_file = PathBuf::from(
26+
args.next()
27+
.ok_or("provide signer's pem certificate file as 2nd argument")?,
28+
);
29+
30+
let output_keys_file =
31+
PathBuf::from(args.next().ok_or("output pem keys file as 3rd argument")?);
32+
33+
let output_cert_file = PathBuf::from(args.next().ok_or("output pem cert file as 4th fourth")?);
34+
35+
// Read existing certificate authority
36+
let keys_pem = fs::read_to_string(&signer_keys_file)?;
37+
let cert_pem = fs::read_to_string(&signer_cert_file)?;
38+
39+
let key_pair = KeyPair::from_pem(&keys_pem)?;
40+
let signer = Issuer::from_ca_cert_pem(&cert_pem, key_pair)?;
41+
42+
// Create a new signed server certificate
43+
const DOMAIN: &str = "example.domain";
44+
45+
let sans = vec![DOMAIN.into()];
46+
47+
let mut params = CertificateParams::new(sans)?;
48+
49+
params.distinguished_name.push(DnType::CommonName, DOMAIN);
50+
params.use_authority_key_identifier_extension = true;
51+
params.key_usages.push(KeyUsagePurpose::DigitalSignature);
52+
params
53+
.extended_key_usages
54+
.push(ExtendedKeyUsagePurpose::ServerAuth);
55+
56+
const DAY: Duration = Duration::days(1);
57+
58+
let yesterday = OffsetDateTime::now_utc()
59+
.checked_sub(DAY)
60+
.ok_or("invalid yesterday")?;
61+
62+
let tomorrow = OffsetDateTime::now_utc()
63+
.checked_add(DAY)
64+
.ok_or("invalid tomorrow")?;
65+
66+
params.not_before = yesterday;
67+
params.not_after = tomorrow;
68+
69+
let output_keys = KeyPair::generate()?;
70+
let output_cert = params.signed_by(&output_keys, &signer)?;
71+
72+
// Write new certificate
73+
fs::write(&output_keys_file, output_keys.serialize_pem())?;
74+
fs::write(&output_cert_file, output_cert.pem())?;
75+
76+
println!("Wrote signed leaf certificate:");
77+
println!(" keys: {}", output_keys_file.display());
78+
println!(" cert: {}", output_cert_file.display());
79+
println!();
80+
81+
Ok(())
82+
}

0 commit comments

Comments
 (0)