pub fn sign_node_cert(
ca_cert_pem: &str,
ca_key_pem: &str,
) -> ZamResult<SignedNodeCredentials>Expand description
Sign a new node certificate with an existing CA.
Used by zamsync sign <clinic-dir> --ca <hub-dir>:
- The hub CA key is read from
<hub-dir>/tls/ca.key. - A fresh ECDSA P-256 keypair is generated for the clinic node.
- The clinic cert is signed by the hub CA, so the clinic joins the same mTLS deployment without the hub generating a new CA.
The CA cert PEM is passed through unchanged into SignedNodeCredentials.ca_cert_pem so
the clinic always distributes the original CA cert to its own TLS config.