Crate koi_certmesh 

Koi Certmesh - certificate mesh with pluggable enrollment auth (Phase 2+).

Provides a private Certificate Authority that mints ECDSA P-256 certificates, pluggable enrollment authentication (TOTP), trust store installation, and a roster of enrolled members. Two machines on the same LAN can establish mutual TLS trust without external infrastructure.

Re-exports

pub use certmesh_paths::CertmeshPaths;

pub use client::PeerClient;

pub use csr::sign_csr;

pub use error::CertmeshError;

Modules

acme

RFC 8555 ACME server (dns-01 only, EC/ES256 only) — a facade over the certmesh CA that lets any standard ACME client (Caddy, Traefik, lego, certbot) obtain certificates for names inside the Koi DNS zone with zero Koi knowledge.

audit

Append-only audit log for certmesh operations.

backup

Certmesh backup/restore encoding.

bundle

The signed, monotonic Trust Bundle — the single source of mesh truth (ADR-017 P1 / F4).

ca

Certificate Authority creation and certificate issuance.

certfiles

Certificate file writing to the standard path.

certmesh_paths

Resolved filesystem paths for certmesh operations.

client

client_for — the posture-keyed peer client (ADR-020 §6).

csr

CSR (PKCS#10 Certificate Signing Request) issuance.

diagnosis

The trust-doctor logic (diagnose()) — ADR-020 §13.

enrollment

Enrollment flow logic.

entropy

Entropy collection for CA key generation.

envelope

Envelope signing & verification — the sign/verify logic for ADR-020 §3.

error

Certmesh domain error types.

failover

Manual CA promotion — the encrypted CA-key transfer to a standby.

health

Member health heartbeat validation.

http

Certmesh HTTP route handlers.

init_ceremony

Certmesh init-ceremony rules - the domain-specific bag→prompts logic for certmesh ceremonies (init, join, invite, unlock).

invite

Per-host, single-use, time-bounded enrollment invite tokens.

lifecycle

Reload-hook execution after a certificate renewal.

member

Member-side renewal state (ADR-017 F6).

mtls

mTLS server primitive for the certificate mesh.

profiles

Trust-profile presets.

protocol

Wire types for certmesh HTTP endpoints.

roster

Roster data model and persistence.

sealed

seal/open — the confidentiality-rung logic for ADR-020 §4.

serve

Per-connection serving primitives for the same-port posture dial (ADR-020 §5).

wordlist

EFF large wordlist (7,776 words) for XKCD-style passphrase generation.

Structs

ApprovalRequest

Enrollment approval request sent to the operator prompt.

CertmeshCore

CertmeshCore - the main domain facade.

Identity

This node’s live cryptographic identity (ADR-020 §7): its CA-signed leaf plus the CA anchor it chains to. The unified replacement for the previously fragmented SelfEnrollment (cert/key/CA, no hostname) and member::MemberState (CA coordinates, no cert). Returned by CertmeshCore::local_identity and ensure_identity.

IdentityInfo

Serializable, key-redacting projection of Identity for cross-process and cross-language consumers (ADR-020 reactive plane / wishlist 5.3).

RenewalHealth

Derived renewal/expiry health of a leaf certificate (ADR-020 §13).

SelfEnrollment

Result of daemon self-enrollment for the mTLS listener.

Enums

ApprovalDecision

Enrollment approval decision from the operator prompt.

BundleOutcome

Outcome of a member trust-bundle pull (CertmeshCore::pull_trust_bundle).

CertmeshEvent

Events emitted by the certmesh subsystem.

RenewOutcome

Outcome of a member-pull renewal attempt (CertmeshCore::renew_self_if_due).

Constants

CERTMESH_SERVICE_TYPE

mDNS service type for CA discovery. Used by the binary crate to announce the CA via koi-mdns.

Functions

machine_binding_ok

Whether the recorded machine binding still matches this host (ADR-017 F11).