Generate a root CA and end-entity client certificate for use with Rustls in the localhost environment.

rustls-localhost.md

Generate an EC private key for the root certificate:

openssl-1.1 ecparam -name prime256v1 -genkey -noout -out root.key

Create a root certificate signing request:

openssl-1.1 req -new -key root.key -out root.csr -subj "/CN=Root CA"

Create a self-signed root certificate:

openssl-1.1 x509 -req -in root.csr -signkey root.key -out root.crt -days 365

Generate an EC private key for the client certificate:

openssl-1.1 ecparam -name prime256v1 -genkey -noout -out client.key

Create a certificate signing request:

openssl-1.1 req -new -key client.key -out client.csr -subj "/CN=localhost"

Create an extensions file with the SAN DNS.1=localhost:

echo "subjectAltName = DNS:localhost" > extensions.cnf

Issue the client certificate using the root certificate:

openssl-1.1 x509 -req -in client.csr -CA root.crt -CAkey root.key -out client.crt -days 365 -extfile extensions.cnf -CAcreateserial -CAserial serial

• move client.crt and client.key to the server project
• move root.crt to the client project

Run the server:

cargo r -- --port 8000 --verbose --key client.key --certs client.crt echo

Run the client:

cargo r -- --port 8000 --verbose --cafile root.crt localhost

---

Generate a client authentication certificate:

openssl-1.1 ecparam -name prime256v1 -genkey -noout -out client-auth.key
openssl-1.1 req -new -key client-auth.key -out client-auth.csr -subj "/CN=Client Authentication"
echo "extendedKeyUsage = clientAuth" > client-auth.cnf
echo "subjectAltName = DNS:localhost" >> client-auth.cnf
openssl-1.1 x509 -req -in client-auth.csr -CA root.crt -CAkey root.key -out client-auth.crt -days 365 -extfile client-auth.cnf -CAcreateserial -CAserial serial