certkit 0.2.0

A pure Rust library for X.509 certificate creation, parsing, and management, supporting RSA, ECDSA, and Ed25519 keys, with no OpenSSL or ring dependencies.
Documentation

CertKit

A high-level Rust library providing abstractions over certificates and keys. This toolkit simplifies the process of creating certificates, intermediate Certificate Authorities (CAs), and root CAs.

Features

  • Create and manage X.509 certificates
  • Generate and handle root Certificate Authorities (CAs)
  • Create intermediate CAs for certificate hierarchies
  • Support for multiple key types:
    • RSA
    • ECDSA (P-256, P-384, P-521)
    • Ed25519
  • PEM and DER format support
  • Modern Rust implementation with strong type safety
  • Type-safe parsing and serialization with der crate

Usage

Add this to your Cargo.toml:

[dependencies]
certkit = "0.2"

Cargo features

Each cryptographic algorithm is behind its own feature. All are enabled by default, so the default build is unchanged:

Feature Algorithm Default
rsa RSA yes
p256 ECDSA P-256 yes
p384 ECDSA P-384 yes
p521 ECDSA P-521 yes
ed25519 Ed25519 yes

To pull in only the algorithms you need, disable the defaults and opt back in. For example, an ECDSA-only build that drops RSA (and its num-bigint-dig / libm dependency tree):

[dependencies]
certkit = { version = "0.2", default-features = false, features = ["p256", "p384"] }

At least one algorithm feature must be enabled; building with none is a compile error.

Examples

tests/tls_echo.rs is a complete, runnable example that exercises the full PKI workflow:

  1. Generate a root CA (self-signed)
  2. Issue an intermediate CA signed by the root
  3. Issue server and client end-entity certificates from the intermediate
  4. Stand up an mTLS echo server with rustls and verify a successful round-trip

Run it with:

cargo test mtls_echo

Key formats

Standard Supported Notes
PKCS #1 RSA only Encoding/decoding RSA public and private keys; RSASSA-PKCS1-v1_5 signatures with SHA-256
PKCS #8 ✅ All Primary private-key format for every algorithm (RSA, ECDSA, Ed25519). PEM and DER import/export

Dependencies

  • x509-cert: X.509 certificate handling
  • der: ASN.1 DER encoding/decoding
  • pkcs8: Public-Key Cryptography Standards #8
  • rsa, p256, ed25519-dalek: Cryptographic algorithms
  • time: Time handling for certificate validity
  • pem: PEM format encoding/decoding

License

This crate is distributed under the terms of both the MIT license and the Apache License (Version 2.0), at your option.

See LICENSE for details.

License of your contributions

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.