← Week 5: PKI Architecture + Rust Integration

Day 33: Rust X.509 Tooling — rcgen, x509-parser, rustls internals

Phase 1 · June 15, 2026

← Week 5: PKI Architecture + Rust Integration

Agenda (2–3 hours)

  • Read (30 min): rcgen README + examples; x509-parser README + CertificateParams docs
  • Study (30 min): How rustls validates certs internally
  • Practice (120 min): Build the Day 33 challenge (largest coding day of Phase 1)
← Week 5: PKI Architecture + Rust Integration

rcgen: Certificate Generation

rcgen generates X.509 certs in pure Rust, no openssl dependency.

use rcgen::{CertificateParams, DistinguishedName, SanType, KeyPair};

let mut params = CertificateParams::new(vec!["api.example.com".to_string()])?;
params.distinguished_name = DistinguishedName::new();
params.distinguished_name.push(rcgen::DnType::CommonName, "api.example.com");
params.not_after = rcgen::date_time_ymd(2026, 12, 31);

let key_pair = KeyPair::generate()?;
let cert = params.self_signed(&key_pair)?;

// Serialize
let pem = cert.pem();
let der = cert.der();
← Week 5: PKI Architecture + Rust Integration

rcgen: Issuing a Cert from a CA

// CA cert (previously generated)
let ca_cert: rcgen::Certificate = ...;
let ca_key: rcgen::KeyPair = ...;

// Leaf cert params
let mut leaf_params = CertificateParams::new(vec!["leaf.example.com".to_string()])?;
leaf_params.is_ca = rcgen::IsCa::NoCa;

let leaf_key = KeyPair::generate()?;

// Sign with CA
let leaf_cert = leaf_params.signed_by(&leaf_key, &ca_cert, &ca_key)?;
← Week 5: PKI Architecture + Rust Integration

x509-parser: Reading Certificates

use x509_parser::prelude::*;

let pem = pem::parse(pem_bytes)?;
let (_, cert) = X509Certificate::from_der(pem.contents())?;

println!("Subject: {}", cert.subject());
println!("Issuer: {}", cert.issuer());
println!("Serial: {}", cert.serial);
println!("Not Before: {}", cert.validity().not_before.to_rfc2822());

// Extensions
if let Some(sans) = cert.subject_alternative_name()? {
    for san in &sans.value.general_names {
        println!("SAN: {:?}", san);
    }
}
← Week 5: PKI Architecture + Rust Integration

How rustls Validates Certificates

rustls uses webpki (now rustls-webpki) for certificate validation.

Key steps:

  1. Build a trust anchor store (RootCertStore)
  2. For each cert in the chain: verify signature using issuer's public key
  3. Check validity period, key usage, extended key usage
  4. Verify hostname matches SAN in end-entity cert
  5. Check OCSP/CRL if configured (rustls has an OCSP callback mechanism)

No automatic CRL/OCSP checking by default — your application must handle revocation.
For provisioning: you likely check revocation explicitly, not via rustls.

← Week 5: PKI Architecture + Rust Integration

Challenge Assignment

Write a Rust program that:

  1. Uses rcgen to generate:

    • A CA certificate (with cA=TRUE, keyCertSign key usage)
    • A leaf TLS certificate signed by the CA (with SANs, serverAuth EKU)
    • A client certificate signed by the CA (with clientAuth EKU)

  2. Uses x509-parser to parse all three and print for each:

    • Subject DN, Issuer DN
    • cA flag from BasicConstraints
    • KeyUsage bits
    • ExtendedKeyUsage OIDs mapped to human names

  3. Verifies the leaf cert's AKI matches the CA cert's SKI (from Day 25 exercise)

  4. Attempts to use the leaf cert in a rustls ServerConfig — does it work?

← Week 5: PKI Architecture + Rust Integration

Resources

  • rcgen crate: docs.rs/rcgen
  • x509-parser crate: docs.rs/x509-parser
  • rustls source: src/verify.rs — ServerCertVerifier implementation
  • rustls-webpki: the underlying cert validation library