Module X509.CA

module CA: sig .. end

Certificate Authority operations


Signing

type signing_request 

The abstract type of a (self-signed) PKCS 10 certification request, with encoding and decoding to PEM.

type request_extensions = [ `Extensions of (bool * X509.Extension.t) list
| `Name of string
| `Password of string ]

The polymorphic variant of certificate request extensions, as defined in PKCS 9 (RFC 2985).

type request_info = {
   subject : X509.distinguished_name;
   public_key : X509.public_key;
   extensions : request_extensions list;
}

The raw request info of a PKCS 10 certification request info.

val info : signing_request -> request_info

info signing_request is X509.CA.request_info, the information inside the X509.CA.signing_request.

val request : X509.distinguished_name ->
?digest:Nocrypto.Hash.hash ->
?extensions:request_extensions list ->
X509.private_key -> signing_request

request subject ~digest ~extensions private creates signing_request, a certification request using the given subject, digest (defaults to `SHA256) and list of extensions.

val sign : signing_request ->
valid_from:Ptime.t ->
valid_until:Ptime.t ->
?digest:Nocrypto.Hash.hash ->
?serial:Z.t ->
?extensions:(bool * X509.Extension.t) list ->
X509.private_key -> X509.distinguished_name -> X509.t

sign signing_request ~digest ~valid_from ~valid_until ~serial
      ~extensions private issuer
creates certificate, a signed certificate. Public key and subject are taken from the signing_request, the extensions are added to the X.509 certificate. The private key is used to sign the certificate, the issuer is recorded in the certificate. The digest defaults to `SHA256. The serial defaults to a random value between 1 and 2^64. Certificate version is always 3. Please note that the extensions in the signing_request are ignored, you can pass them using:

match
  try Some (List.find (function `Extensions _ -> true | _ -> false) (info csr).extensions)
  with Not_found -> None
with
 | Some (`Extensions x) -> x
 | None -> []

.