How to generate CA cert

[derust]

How to generate CA cert like hudsucker.pem

It seems CA cert generate with mkcert doesn't work

thanks!

[omjadas]

Hi,

I suspect you might be running into https://github.com/est31/rcgen/issues/59. If you are there are two options to work around it:

1. Use OpensslAuthority (requires the openssl-certs feature to be enabled and OpenSSL to be installed)
2. Use rcgen to generate the CA cert (can be done with something akin to the following)

use rcgen::*;
use std::fs;

pub fn main() {
    let mut params = CertificateParams::default();
    let mut distinguished_name = DistinguishedName::new();

    distinguished_name.push(DnType::CommonName, "Hudsucker Industries");
    distinguished_name.push(DnType::OrganizationName, "Hudsucker Industries");
    distinguished_name.push(DnType::CountryName, "US");
    distinguished_name.push(DnType::StateOrProvinceName, "NY");
    distinguished_name.push(DnType::LocalityName, "NYC");

    params.distinguished_name = distinguished_name;
    params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
    params.key_usages = vec![
        KeyUsagePurpose::KeyCertSign,
        KeyUsagePurpose::CrlSign,
    ];

    let cert = Certificate::from_params(params).unwrap();
    let private_key = cert.serialize_private_key_pem();

    fs::write("cert.pem", cert.serialize_pem().unwrap()).unwrap();
    fs::write("private.key", private_key).unwrap();
}

[derust]

Got it, thanks! It seams I should waiting rustls ecosystem to be more mature to totally replace openssl.

[omjadas]

This should be fixed in v0.11.1, which bumps https://github.com/est31/rcgen to 0.9