-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add example of generating a cert chain #174
Conversation
6089be4
to
c5e20fe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems unfortunate that this doesn't show off the use of a CSR (mainly in order to show off how this can be done with the CA's key sitting in another process).
(I'll just link my old example here again: https://github.com/djc/sign-cert-remote/blob/main/src/main.rs.)
I didn't see this example before. What I have done for now is add a comment to the top of the example that links to your more complete example. The only advantage I see of the one in this PR is simplicity. So it seems reasonable to me to have this very simple example here but have the obvious link to the more complete example. If your preference is to copy your example in to this repo as an example, I can replace the example already in the PR with that one. I can also see that this PR might be superfluous given that the more complete example already exists. The rest of the comments on the PR have been addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
I'm interested in moving rcgen
towards generating more realistic and standards compliant certificates by default (in particular, following the guidance set by the CA/Browser forum since it dictates the direction of the most important TLS ecosystem).
I haven't started on updating any rcgen defaults to follow this model, but in the meantime I think making the examples do so would be a good first step. As the defaults in the library improve the example code can be trimmed down.
As a result of this larger goal most of my feedback is related to ways to make the example produce more complaint certificates. The base code looks good otherwise :-)
@cpu I have added the parameters to comply with standards. @djc I basically copied the same structure from your other example in order to bring in the CSR logic. Unfortunately, |
Thanks!
I think that will be resolved w/ #164 - right now not every extension that can be created from
That makes sense to me. We can extend the example when the CSR limitation is addressed by #164 (or another PR). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the iterations,
tbro requested review from cpu and djc 32 minutes ago
Here's some initial feedback, but I think the build failures in CI are also true positives to work through.
examples/sign-leaf-with-ca.rs
Outdated
println!("ca certificate:"); | ||
let pem = ca.certificate.serialize_pem().unwrap(); | ||
|
||
println!("{}", pem); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same feedback here RE: re-arranging for one println!
.
If you keep the separate println!
's I think this second instance should use an in-line var like println!("{pem}")
for consistency with L19.
I also think ca_cert_pem
might be a better name for the var as opposed to pem
.
examples/sign-leaf-with-ca.rs
Outdated
params | ||
.subject_alt_names | ||
.push(rcgen::SanType::DnsName(name.into())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because you gave the same nam
to the CertificateParams
constructor this is actually adding a second instance of the same domain name to the SAN extension. We'll want to avoid that. Probably deleting this explicit subject_alt_names.push
is the best bet 👍
I addressed your comments and builds seems to be passing now. |
Sorry for getting so late to the discussion. First a general point: I must say that I disagree with the opinion of @cpu to generally move rcgen to conform by CA/Browser forum rules. Yes, they are made by the professionals in the CA industry, those who issue certificates as a paid service. And it is valuable to have these rules apply to most TLS certificates you use to connect to random web services. But it feels to me that most users of rcgen are not the "professionals", so they don't really need to conform by these rules. And in my opinion, the professional's rules are quite harmful for users.
To me, it feels that the CA/Browser forum rules are mostly relevant if you are either a member of that forum, or if you otherwise want to create certificates that are trusted by browsers by default. I don't think most users of rcgen are/want to do either, and I built rcgen to serve their needs (which was also my need). The big browsers don't enforce most of these rules, at least for locally trusted certificates. For trusted-by-default certificates, it's a different thing, which is again fine and a good idea. But locally trusted certificates don't need this info, you know already that they have local trust. I am in favour of adding a "CA/Browser Forum compliance" mode which enables the appropriate extensions for various scenarios, it could e.g. be different constructors of Now to the specific point. I think it's fine to have one or two examples that create CA/Browser Forum compliant certificates, just to show users who need it (they should be in a minority) how it's done. But I don't think we should use it in all examples, or even a majority. |
@est31 Fair, but I don't want to side-track this PR arguing my perspective. It sounds like it would be an uphill battle in either case.
For what its worth I think this is a strong argument for why opinionated defaults are in order.
It sounds like the changes I suggested are fine for the example at hand? If not I think it would be helpful to the OP if you leave some specific suggestions about what needs to change to land this example. |
I do think I agree that getting this example to go through the CA/B hoops might not be worth it/increases scope too much for this PR, especially if we're planning to offer an API in the library that handles these details for you (so that we can then remove the code in this example again). In general, it would be great if we can facilitate all three use cases:
Which seems feasible enough to me? For example, we could offer CA/B forum defaults, but under a specific API (like |
The changes I requested have already been made and don't seem to increase the scope by much to me. It's a handful of small changes. I think we should defer discussion of future API changes to a separate issue and focus on providing actionable feedback to the contributor. If there are parts of the work that are out of scope, let's suggest changes to bring it in-scope. |
Sorry for the off-topic discussion. I am approving this PR. |
Fair enough, sorry! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! Sorry that some of my feedback ended up being controversial 😓
Generate two certificates and sign the second with the first.
a75cbc3
to
aa2caf9
Compare
Generate two certificates and sign the second with the first. Addresses #79 and #89.