Crate rcgen

source · []
Expand description

Rust X.509 certificate generation utility

This crate provides a way to generate self signed X.509 certificates.

The most simple way of using this crate is by calling the generate_simple_self_signed function. For more customization abilities, we provide the lower level Certificate::from_params function.


extern crate rcgen;
use rcgen::generate_simple_self_signed;
// Generate a certificate that's valid for "localhost" and ""
let subject_alt_names = vec!["".to_string(),

let cert = generate_simple_self_signed(subject_alt_names).unwrap();
println!("{}", cert.serialize_pem().unwrap());
println!("{}", cert.serialize_private_key_pem());


A self signed certificate together with signing keys

Parameters used for certificate generation

Data for a certificate signing request

A custom extension of a certificate, as specified in RFC 5280

Distinguished name used e.g. for the issuer and subject fields of a certificate

A key pair used to sign certificates and CSRs

The NameConstraints extension (only relevant for CA certificates)

A public key, extracted from a CSR

Signature algorithm type


The path length constraint (only relevant for CA certificates)

CIDR subnet, as per RFC 4632

The attribute type of a distinguished name entry

A distinguished name entry

One of the purposes contained in the extended key usage extension

General Subtree type.

Whether the certificate is allowed to sign other certificates

Method to generate key identifiers from public keys.

One of the purposes contained in the key usage extension

The error type of the rcgen crate

The type of subject alt name


ECDSA signing using the P-256 curves and SHA-256 hashing as per RFC 5758

ECDSA signing using the P-384 curves and SHA-384 hashing as per RFC 5758

ED25519 curve signing as per RFC 8410

RSA signing with PKCS#1 1.5 padding and SHA-256 hashing as per RFC 4055

RSA signing with PKCS#1 1.5 padding and SHA-256 hashing as per RFC 4055

RSA signing with PKCS#1 1.5 padding and SHA-512 hashing as per RFC 4055


A private key that is not directly accessible, but can be used to sign messages


Helper to obtain an OffsetDateTime from year, month, day values

KISS function to generate a self signed certificate