Struct SniCertResolver 

pub struct SniCertResolver { /* private fields */ }

SNI-based certificate resolver for dynamic TLS certificate selection

This resolver maintains a mapping of domain names to TLS certificates, allowing the proxy to serve different certificates for different domains. It supports:

• Exact domain matching (e.g., api.example.com)
• Wildcard certificates (e.g., *.example.com)
• A default/fallback certificate for unmatched domains

The resolver is thread-safe and supports concurrent certificate updates.

Implementations

impl SniCertResolver

pub fn new() -> Self

Create a new empty SNI certificate resolver

Example

use zlayer_proxy::SniCertResolver;

let resolver = SniCertResolver::new();

pub fn load_cert( &self, domain: &str, cert_pem: &str, key_pem: &str, ) -> Result<()>

Load a certificate for a specific domain

Parses the PEM-encoded certificate chain and private key, then stores the resulting CertifiedKey for the given domain.

Arguments

• domain - The domain name (e.g., example.com or *.example.com)
• cert_pem - PEM-encoded certificate chain
• key_pem - PEM-encoded private key

Errors

Returns an error if:

• The certificate PEM cannot be parsed
• The private key PEM cannot be parsed
• The key is not compatible with the certificate

Example

resolver.load_cert("example.com", cert_pem, key_pem)?;

pub fn set_default_cert(&self, cert_pem: &str, key_pem: &str) -> Result<()>

Set the default/fallback certificate

This certificate is used when no domain-specific certificate matches the client’s SNI request.

Arguments

• cert_pem - PEM-encoded certificate chain
• key_pem - PEM-encoded private key

Errors

Returns an error if the certificate or key cannot be parsed.

Example

resolver.set_default_cert(default_cert_pem, default_key_pem)?;

Panics

Panics if the internal RwLock is poisoned.

pub fn remove_cert(&self, domain: &str)

Remove a certificate for a specific domain

Arguments

• domain - The domain name to remove the certificate for

Example

resolver.remove_cert("example.com");

pub fn refresh_cert( &self, domain: &str, cert_pem: &str, key_pem: &str, ) -> Result<()>

Refresh/update a certificate for an existing domain

This is equivalent to calling load_cert but semantically indicates an update to an existing certificate (e.g., for certificate renewal).

Arguments

• domain - The domain name
• cert_pem - New PEM-encoded certificate chain
• key_pem - New PEM-encoded private key

Errors

Returns an error if the certificate or key cannot be parsed.

Example

resolver.refresh_cert("example.com", new_cert_pem, new_key_pem)?;

pub fn has_cert(&self, domain: &str) -> bool

Check if a certificate exists for a domain

Arguments

• domain - The domain name to check

Returns

true if a certificate is loaded for the exact domain name

pub fn cert_count(&self) -> usize

Get the number of loaded certificates

pub fn domains(&self) -> Vec<String>

List all domains with loaded certificates

pub fn has_default_cert(&self) -> bool

Check if a default/fallback certificate is configured

Trait Implementations

impl Debug for SniCertResolver

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SniCertResolver

fn default() -> Self

Returns the “default value” for a type.

impl ResolvesServerCert for SniCertResolver

fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>>

Choose a certificate chain and matching key given simplified ClientHello information.

fn only_raw_public_keys(&self) -> bool

Return true when the server only supports raw public keys.