certkit 0.2.0

A pure Rust library for X.509 certificate creation, parsing, and management, supporting RSA, ECDSA, and Ed25519 keys, with no OpenSSL or ring dependencies.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# CertKit

A high-level Rust library providing abstractions over certificates and keys. This toolkit simplifies the process of creating certificates, intermediate Certificate Authorities (CAs), and root CAs.

## Features

- Create and manage X.509 certificates
- Generate and handle root Certificate Authorities (CAs)
- Create intermediate CAs for certificate hierarchies
- Support for multiple key types:
  - RSA
  - ECDSA (P-256, P-384, P-521)
  - Ed25519
- PEM and DER format support
- Modern Rust implementation with strong type safety
- Type-safe parsing and serialization with `der` crate

## Usage

Add this to your `Cargo.toml`:

```toml
[dependencies]
certkit = "0.2"
```

## Cargo features

Each cryptographic algorithm is behind its own feature. All are enabled by default, so the default build is unchanged:

| Feature   | Algorithm        | Default |
|-----------|------------------|---------|
| `rsa`     | RSA              | yes     |
| `p256`    | ECDSA P-256      | yes     |
| `p384`    | ECDSA P-384      | yes     |
| `p521`    | ECDSA P-521      | yes     |
| `ed25519` | Ed25519          | yes     |

To pull in only the algorithms you need, disable the defaults and opt back in. For example, an ECDSA-only build that drops RSA (and its `num-bigint-dig` / `libm` dependency tree):

```toml
[dependencies]
certkit = { version = "0.2", default-features = false, features = ["p256", "p384"] }
```

At least one algorithm feature must be enabled; building with none is a compile error.

## Examples

[`tests/tls_echo.rs`](tests/tls_echo.rs) is a complete, runnable example that exercises the full PKI workflow:

1. Generate a **root CA** (self-signed)
2. Issue an **intermediate CA** signed by the root
3. Issue **server** and **client** end-entity certificates from the intermediate
4. Stand up an **mTLS echo server** with `rustls` and verify a successful round-trip

Run it with:

```sh
cargo test mtls_echo
```

## Key formats

| Standard | Supported | Notes |
|----------|-----------|-------|
| PKCS #1  | RSA only  | Encoding/decoding RSA public and private keys; RSASSA-PKCS1-v1_5 signatures with SHA-256 |
| PKCS #8  | ✅ All    | Primary private-key format for every algorithm (RSA, ECDSA, Ed25519). PEM and DER import/export |

## Dependencies

- `x509-cert`: X.509 certificate handling
- `der`: ASN.1 DER encoding/decoding
- `pkcs8`: Public-Key Cryptography Standards #8
- `rsa`, `p256`, `ed25519-dalek`: Cryptographic algorithms
- `time`: Time handling for certificate validity
- `pem`: PEM format encoding/decoding

### License

This crate is distributed under the terms of both the MIT license and the Apache License (Version 2.0), at your option.

See [LICENSE](LICENSE) for details.

### License of your contributions

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.