pub fn issue_certificate(
csr_der: &[u8],
profile: &EnrollmentProfile,
ca_cert_der: &[u8],
signing_key: CaSigningKey<'_>,
hash_algorithm: &str,
) -> Result<IssuanceResult, IssuanceError>Expand description
Issue a certificate from a CSR.
Performs CA/B Forum compliance checks before signing:
- Key size minimums (RSA 2048+, ECDSA P-256+)
- Maximum validity period (398 days for public, 47 days from March 2029)
- Required extensions (AKI, SKI, Key Usage, Basic Constraints)
- Certificate Transparency SCT injection (when configured)
§Arguments
csr_der- DER-encoded PKCS#10 Certificate Signing Requestprofile- Enrollment profile with constraints to applyca_cert_der- DER-encoded CA certificate (for issuer DN and AKI)signing_key- CA signing key (PEM from disk or HSM-backed)hash_algorithm- Hash algorithm name (e.g. “sha256”)
§Returns
IssuanceResult on success with the DER-encoded certificate and metadata.