rustls-webpki 0.101.7

Web PKI X.509 Certificate Verification.

Build Status Coverage Status ( Documentation Chat

webpki is a library that validates Web PKI (TLS/SSL) certificates. It's used by Rustls to handle certificate-related tasks required for implementing TLS clients and servers.

webpki is written in Rust and uses ring for cryptographic operations and low-level parsing.

This is a fork of the original webpki project which adds a number of features required by the rustls project. This fork is released as the rustls-webpki crate, with versions starting 0.100.0 so as to not confusingly overlap with webpki versions.


  • Representing trust anchors - webpki requires the caller to bootstrap trust by explicitly specifying a set of trust anchors using the TrustAnchor type.

  • Parsing certificates - webpki can convert from the raw encoded form of a certificate into something that can be used for making trust decisions.

  • Path building - webpki can determine if a certificate for an end entity like a website or client identity was issued by a trust anchor, or a series of intermediate certificates the trust anchor has endorsed.

  • Name/usage validation - webpki can determine if a certificate is valid for a given DNS name or IP address by considering the allowed usage of the certificate and additional constraints.


webpki offers a minimal feature set tailored to the needs of Rustls. Notably it does not offer:

  • Certificate or keypair generation
  • Access to arbitrary certificate extensions
  • Parsing/representation of certificate subjects, or human-friendly display of these fields

For these tasks you may prefer using webpki in combination with libraries like x509-parser and rcgen.


Release history can be found on GitHub.


See for an example of using webpki.


See LICENSE. This project happily accepts pull requests without any formal copyright/contributor license agreement.

Bug Reporting

Please refer to the SECURITY policy for security issues. All other bugs should be reported as GitHub issues.