Create and sign x509 certificates


I’m planning to build an open source project with rust (coming from c++/python). One important point is TLS connections between multiple clients.
The basic environment is:

  • Each user has a uniqe x509 certificate
  • Each user has multiple devices
  • Each device creates a x509 certificate, signed by the user certificate
  • Each device accepts connections from other devices if:
    • the device sends a device certificate
    • the device certificate is signed by a user certificate
    • the user certificate is known and trusted by the local user

For this, I want to use rustls and mio to implement the TLS communication. But I have not found a resource/documentation how to:

  • Create x509 certificates with rustls/ring/webpki
  • Sign a x509 certificate with rustls/ring/webpki
  • Customize the client certificate validation

Could someone provide me a little help with these topics?

Also, I’m not sure if rustls/webpki fits my requirements. There are two statements in the rustls documentation which confuses me:

You do not need to provide anything other than a set of root certificates to trust. Certificate verification cannot be turned off or disabled in the main API.

I don’t use/need root certificates.

You need to provide the server’s hostname so we know what to expect to find in the server’s certificate.

I don’t work with hostnames. The devices announces itself via UDP multicast in a LAN with their IP addresses and user/device IDs.

I have not figured out if rustls and webpki works without a root certificate store and plain IP addresses instead of hostnames.

Target platforms are Win/Linux/Mac/Android, later iOS.

PS: As I just started with rust a few days ago, please be a little more verbose in an answer :wink: