Rustls and pem files: possibility of hard coding?

I'm currently using rustls and rustls_pemfile like this:

let mut root_cert_store = rustls::RootCertStore::empty();
let mut pem = std::io::BufReader::new(std::fs::File::open("cert.pem").unwrap());
let certs = rustls_pemfile::certs(&mut pem).unwrap();
for cert in certs.into_iter().map(rustls::Certificate) {

let tls_config = rustls::ClientConfig::builder()

That .pem file was converted from a .crt downloaded from Digital Ocean, and converted using the following command:

openssl x509 -in ca-certificate.crt -out cert.pem -outform PEM

This is the only way to properly connect to a managed DO PostgreSQL instance. Unfortunately, I did not want to ship my binary with a .pem file, or deal with I/O at all. Is there an interface that would allow me to hardcode the PEM file as a string constant and send it to rustls?

include_bytes! can embed any file into the executable as a &'static [u8]. You can also write a build script to generate the file at compile time if you need to.

I'm not a crypto expert, so I can't speak to whether or not this is a good idea from a security perspective.


Neither am I, but if the PEM file contains private key data then it's a vulnerability waiting to be exploited.

If it only contains a public key on the other hand then it's perfectly fine, if a bit lacking in configurability eg for key updates.


Not an expert here either, but keep in mind that this is not encryption, only mild obfuscation at best. Like hiding your money in the cookie jar. A determined snooper can look for something that looks like the content of a pem file in your binary (you can try opening it with a hex editor), and it will be clear as day. A separate file or storage will at least let you switch it out if you need to, without having to compile again.


Thank you! This worked great. Also a neat feature to know. :slight_smile:

It's fine to include the private key as long as you treat the compiled binary as a secret