issue_cert

nixfleet_control_plane::auth::issuance

Function issue_cert 

Source 
pub fn issue_cert(
    csr_pem: &str,
    signer: &dyn CaSigner,
    validity: Duration,
    now: DateTime<Utc>,
    agent_cn_suffix: &str,
) -> Result<(String, DateTime<Utc>)>
Expand description

Issues an agent cert: clientAuth EKU + canonical CN agent-<machineId>.<suffix>

  • SAN dNSName=<CN> (rustls/webpki rejects CN-only certs). CSR CN is read as the bare machineId. Caller validates CSR-pubkey ↔ host-pubkey binding upstream.