- data = pki:getSelfSignedCertData(param)
- result = pki:saveSelfSignedCertFile(filename, param)
SYNOPSIS
DESCRIPTION
This generates a self-signed SSL/TLS certificate. To use this function, a private key must have been loaded or generated into the object previously.
The required table param is used to fill the typical certificate data fields.
The subject may also be specified as a table like this:
Please see the SSL/TLS specification for documentation on the supported subject fields. For a typical webserver usage, it is customary to set the field CN to the IP-Address of the webserver.
The field hash allows selection of the one-way-hash function that is used to sign the certificate. The default is SHA256. Supported algorithms are: MD2, MD4, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD160.
The field format selects the output data format, PEM or DER. Default is PEM.
The field serial is copied into the certificate as the certificate serial number. When not given, a 64-bit value is generated by mixing the board serial number with the current date/time.
The fields not_before and not_after can be used to limit the validity of the
certificate between certain dates. The defaults are the current date/time for not_before and 30 years for
not_after.
The fields can be given as a date/time object or a string
in X509 format (YYYYMMDDHHMMSS).
The usage map is a table of true/false keys that map directly to mbedtls flags as listed. See mbedtls documentation for details.
digital_signature | MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
non_repudiation | MBEDTLS_X509_KU_NON_REPUDIATION |
key_encipherment | MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
data_encipherment | MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
key_agreement | MBEDTLS_X509_KU_KEY_AGREEMENT |
key_cert_sign | MBEDTLS_X509_KU_KEY_CERT_SIGN |
crl_sign | MBEDTLS_X509_KU_CRL_SIGN |
encipher_only | MBEDTLS_X509_KU_ENCIPHER_ONLY |
decipher_only | MBEDTLS_X509_KU_DECIPHER_ONLY |
The cert_type map is a table of true/false keys that map directly to mbedtls flags as listed. See mbedtls documentation for details.
ssl_client | MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT |
ssl_server | MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER |
MBEDTLS_X509_NS_CERT_TYPE_EMAIL | |
object_signing | MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING |
reserved | MBEDTLS_X509_NS_CERT_TYPE_RESERVED |
ssl_ca | MBEDTLS_X509_NS_CERT_TYPE_SSL_CA |
email_ca | MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA |
object_signing_ca | MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA |
RETURN VALUE
On success, the first form returns the certificate as a string, while the second form saves the certificate to a file.
In case of an error returns three values: nil, a string describing the error and a negative error code from the underlying mbed TLS implementation.