studio/cli
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 4 Wiki Activity
Files
e568ddf82a21e9d069f067c06ff6055446042155
cli/vendor/rcgen/docs/0.12-to-0.13.md

4.5 KiB
Raw Blame History

Rcgen 0.12 to 0.13 Migration Guide

This document is a meant to be a helpful guide for some of the API changes made between rcgen 0.12 and 0.13. For information on other changes in 0.13 see [rcgen/CHANGELOG.md].

Key Pairs

  • Previously it was possible to have certificate generation automatically create a subject KeyPair for you by leaving the key_pair field of CertificateParams empty, and retrieving the generated KeyPair from a Certificate created with the CertificateParams by calling Certificate::get_key_pair().

    To offer more consistency and to keep the CertificateParams and Certificate types from holding private key data, the new API requires you handle KeyPair creation yourself. See CertifiedKey, KeyPair::generate(), KeyPair::generate_for() and KeyPair::generate_rsa_for() for more information.

  • Serializing a Certificate's KeyPair to DER or PEM was previously done by calling Certificate::serialize_private_key_der() or Certificate::serialize_private_key_pem(). This is now handled by calling KeyPair::serialize_der() or KeyPair::serialize_pem().

Certificates

  • For quick-and-easy self-signed certificate issuance, generate_simple_self_signed now returns a CertifiedKey in the success case instead of a Certificate. The self-signed Certificate can be accessed in the cert field of CertifiedKey, and the generated subject key pair in key_pair.

  • Custom self-signed certificate issuance was previously done by constructing CertificateParams and calling Certificate::from_params() to create a Certificate. This is now done by calling CertificateParams::self_signed(), providing a subject KeyPair of your choosing.

  • Custom certificate issuance signed by an issuer was previously done by constructing CertificateParams, calling Certificate::from_params() and then choosing the issuer at serialization time. This is now done ahead of serialization by calling CertificateParams::signed_by() and providing a subject KeyPair as well as an issuer Certificate and KeyPair.

  • Previously certificate serialization was done by calling Certificate::serialize_der(), Certificate::serialize_pem(), Certificate::serialize_der_with_signer() or Certificate::serialize_pem_with_signer(). Each time a serialization fn was called a new certificate was issued, leading to confusion when it was desired to serialize the same certificate in two formats. In the new API issuance is handled by CertificateParams fns and the generated Certificate will not change when serialized. You can serialize it to PEM by calling Certificate::pem(), or access the DER encoding by calling Certificate::der().

Certificate Signing Requests (CSRs)

  • Previously it was only possible to create a new CSR by first issuing a Certificate from CertificateParams, and calling Certificate::serialize_request_pem() or Certificate::serialize_request_der(). In the updated API you can create a CertificateSigningRequest directly from CertificateParams by calling CertificateParams::serialize_request and providing a subject KeyPair. You may serialize the CSR to DER or PEM by calling CertificateSigningRequest::der() or CertificateSingingRequest::pem().

  • To load a CSR from an existing PEM/DER copy with the old API required calling CertificateSingingRequest::from_pem() or CertificateSigningRequest::from_der(). The new API introduces a CertificateSingingRequestParams type that can be created using CertificateSigningRequestParams::from_pem() or CertificateSingingRequest::from_der().

  • To issue a certificate from an existing CSR with the old API required calling CertificateSigningRequest::serialize_der_with_signer() or CertificateSigningRequest::serialize_pem_with_signer(). In the new API, call CertificateSigningRequestParams::signed_by() and provide an issuer Certificate and KeyPair.

Certificate Revocation Lists (CRLs)

  • Previously a CertificateRevocationList was created by calling CertificateRevocationList::from_params(). This is now done by calling CertificateRevocationListParams::signed_by() and providing an issuer Certificate and KeyPair.

  • Previously a created CertificateRevocationList could be serialized to DER or PEM by calling CertificateRevocationList::serialize_der_with_signer() or CertificateRevocationList::serialize_pem_with_signer(). This is now done by calling CertificateRevocationList::der() or CertificateRevocationList::pem().

Reference in New Issue View Git Blame Copy Permalink