-
Notifications
You must be signed in to change notification settings - Fork 100
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| # Rcgen 0.12 to 0.13 Migration Guide | ||
|
|
||
| This document is a meant to be a helpful guide for some of the API changes made | ||
| between rcgen 0.12 and 0.13. For information on other changes in 0.13 see | ||
| [rcgen/CHANGELOG.md]. | ||
|
|
||
| ## Key Pairs | ||
|
|
||
| * Previously it was possible to have certificate generation automatically create | ||
| a subject `KeyPair` for you by leaving the `key_pair` field of | ||
| `CertificateParams` empty, and retrieving the generated `KeyPair` from | ||
| a `Certificate` created with the `CertificateParams` by calling | ||
| `Certificate::get_key_pair()`. | ||
|
|
||
| To offer more consistency and to keep the `CertificateParams` and `Certificate` | ||
| types from holding private key data, the new API requires you handle `KeyPair` | ||
| creation yourself. See `CertifiedKey`, `KeyPair::generate()`, | ||
| `KeyPair::generate_for()` and `KeyPair::generate_rsa_for()` for more information. | ||
|
|
||
| * Serializing a `Certificate`'s `KeyPair` to DER or PEM was previously done by | ||
| calling `Certificate::serialize_private_key_der()` or | ||
| `Certificate::serialize_private_key_pem()`. This is now handled by calling | ||
| `KeyPair::serialize_der()` or `KeyPair::serialize_pem()`. | ||
|
|
||
| ## Certificates | ||
|
|
||
| * For quick-and-easy self-signed certificate issuance, | ||
| `generate_simple_self_signed` now returns a `CertifiedKey` in the success case | ||
| instead of a `Certificate`. The self-signed `Certificate` can be accessed in | ||
| the `cert` field of `CertifiedKey`, and the generated subject key pair in | ||
| `key_pair`. | ||
|
|
||
| * Custom self-signed certificate issuance was previously done by | ||
| constructing `CertificateParams` and calling `Certificate::from_params()` to | ||
| create a `Certificate`. This is now done by calling | ||
| `CertificateParams::self_signed()`, providing a subject `KeyPair` of your | ||
| choosing. | ||
|
|
||
| * Custom certificate issuance signed by an issuer was previously done by | ||
| constructing `CertificateParams`, calling `Certificate::from_params()` and | ||
| then choosing the issuer at serialization time. This is now done ahead of | ||
| serialization by calling `CertificateParams::signed_by()` and providing | ||
| a subject `KeyPair` as well as an issuer `Certificate` and `KeyPair`. | ||
|
|
||
| * Previously certificate serialization was done by calling | ||
| `Certificate::serialize_der()`, `Certificate::serialize_pem()`, | ||
| `Certificate::serialize_der_with_signer()` or | ||
| `Certificate::serialize_pem_with_signer()`. Each time a serialization fn was | ||
| called a new certificate was issued, leading to confusion when it was desired | ||
| to serialize the same certificate in two formats. In the new API issuance is | ||
| handled by `CertificateParams` fns and the generated `Certificate` will not change | ||
| when serialized. You can serialize it to PEM by calling `Certificate::pem()`, | ||
| or access the DER encoding by calling `Certificate::der()`. | ||
|
|
||
| ## Certificate Signing Requests (CSRs) | ||
|
|
||
| * Previously it was only possible to create a new CSR by first issuing | ||
| a `Certificate` from `CertificateParams`, and calling | ||
| `Certificate::serialize_request_pem()` or | ||
| `Certificate::serialize_request_der()`. In the updated API you can create | ||
| a `CertificateSigningRequest` directly from `CertificateParams` by calling | ||
| `CertificateParams::serialize_request` and providing a subject `KeyPair`. You | ||
| may serialize the CSR to DER or PEM by calling | ||
| `CertificateSigningRequest::der()` or `CertificateSingingRequest::pem()`. | ||
|
|
||
| * To load a CSR from an existing PEM/DER copy with the old API required | ||
| calling `CertificateSingingRequest::from_pem()` or | ||
| `CertificateSigningRequest::from_der()`. The new API introduces | ||
| a `CertificateSingingRequestParams` type that can be created using | ||
| `CertificateSigningRequestParams::from_pem()` or | ||
| `CertificateSingingRequest::from_der()`. | ||
|
|
||
| * To issue a certificate from an existing CSR with the old API required calling | ||
| `CertificateSigningRequest::serialize_der_with_signer()` or | ||
| `CertificateSigningRequest::serialize_pem_with_signer(). In the new API, call | ||
| `CertificateSigningRequestParams::signed_by()` and provide an issuer | ||
| `Certificate` and `KeyPair`. | ||
|
|
||
| ## Certificate Revocation Lists (CRLs) | ||
|
|
||
| * Previously a `CertificateRevocationList` was created by calling | ||
| `CertificateRevocationList::from_params()`. This is now done by calling | ||
| `CertificateRevocationListParams::signed_by()` and providing an issuer | ||
| `Certificate` and `KeyPair`. | ||
|
|
||
| * Previously a created `CertificateRevocationList` could be serialized to DER or | ||
| PEM by calling `CertificateRevocationList::serialize_der_with_signer()` or | ||
| `CertificateRevocationList::serialize_pem_with_signer()`. This is now done by | ||
| calling `CertificateRevocationList::der()` or | ||
| `CertificateRevocationList::pem()`. |