Module certificates 

Certificate wrapping, renewal logic, and subject validation.

This module provides the Certificate type that wraps a TLS certificate chain (as DER-encoded bytes) together with its private key and metadata extracted from the leaf certificate (SANs, validity period, hash).

Key concepts

• Renewal window: a certificate is considered due for renewal when the remaining fraction of its total lifetime drops below a configurable ratio (default DEFAULT_RENEWAL_WINDOW_RATIO = 1/3). An emergency renewal is also triggered when fewer than 24 hours remain.
• Subject qualification: helper functions such as subject_qualifies_for_cert and subject_qualifies_for_public_cert validate domain names before attempting certificate issuance, catching common typos and misconfigurations early.
• Wildcard matching: match_wildcard implements RFC 6125 / RFC 2818 wildcard rules for certificate lookups.

Structs

Certificate

A TLS certificate chain together with its private key and parsed metadata.

Enums

PrivateKeyKind

Indicates which variant of PrivateKeyDer the stored raw bytes represent.

Constants

DEFAULT_RENEWAL_WINDOW_RATIO

The default ratio of remaining lifetime to total lifetime at which a certificate is considered due for renewal.

Functions

currently_in_renewal_window

Returns true if the current time is within (or past) the renewal window.

extract_names_from_der

Extract subject names from a DER-encoded certificate without requiring the full Certificate struct.

hash_certificate_chain

Compute the SHA-256 hash of the entire certificate chain (all DER bytes concatenated) and return it as a lowercase hex string.

managed_cert_in_storage_needs_renewal

Check whether a managed certificate stored in storage needs renewal.

match_wildcard

Returns true if subject (a candidate DNS name) matches wildcard (a reference DNS name), using DNS wildcard matching logic.

reload_managed_certificate

Reload a managed certificate from storage, replacing the old version in cache.

subject_is_internal

Returns true if subject is an internal-facing hostname or address that cannot receive a certificate from a public CA.

subject_is_ip

Returns true if subject is an IP address (either IPv4 or IPv6).

subject_qualifies_for_cert

Returns true if subject looks like it could be a valid certificate subject name.

subject_qualifies_for_public_cert

Returns true if the subject name appears eligible for a certificate from a public CA such as Let’s Encrypt.