Struct CaConfig 

pub struct CaConfig {

    pub id: String,
    pub is_default: bool,
    pub key_file: String,
    pub cert_file: String,
    pub key_type: String,
    pub pkcs11_uri: Option<String>,
    pub validity_days: u32,
    pub hash_algorithm: String,
    pub crl_url: Option<String>,
    pub ocsp_url: Option<String>,
    pub common_name: String,
    pub organization: String,
    pub crl_lifetime_secs: u64,
    pub cab_forum_compliant: bool,
}

[[ca]] section — per-CA key material and issuance policy.

Multiple CAs are supported via the TOML array-of-tables syntax:

[[ca]]
id = "production"
is_default = true
key_file = "/etc/kipuka/ca-prod.key"
cert_file = "/etc/kipuka/ca-prod.crt"

[[ca]]
id = "dev"
key_file = "/etc/kipuka/ca-dev.key"
cert_file = "/etc/kipuka/ca-dev.crt"
validity_days = 30

Fields

id: String

Unique identifier for this CA.

Used in EST label configurations to route enrollment requests to the appropriate CA. Must match ^[a-z0-9][a-z0-9_-]*$ and be at most 64 characters.

is_default: bool

Whether this CA is the default for EST labels that do not specify a ca_id. Exactly one CA must be marked as default when multiple CAs are configured.

key_file: String

Path to the CA private key in PEM format.

Mutually exclusive with pkcs11_uri: when pkcs11_uri is set, the key is accessed via the HSM and this field is ignored.

cert_file: String

Path to the CA certificate (or chain) in PEM format.

The file should contain the CA’s end-entity certificate first, followed by any intermediates up to (but not including) the root.

key_type: String

Key type for CA key generation (used only when key_file does not exist and auto-generation is requested).

Supported values:

Classical:

• "rsa:2048", "rsa:3072", "rsa:4096"
• "ec:P-256", "ec:P-384", "ec:P-521"
• "ed25519"

Post-Quantum (FIPS 204 — ML-DSA standalone):

• "ml-dsa-44" (NIST Security Level 2, ~2.5 KB sig)
• "ml-dsa-65" (NIST Security Level 3, ~3.3 KB sig)
• "ml-dsa-87" (NIST Security Level 5, ~4.6 KB sig)

Composite (draft-ietf-lamps-pq-composite-sigs-19):

• "ml-dsa-44-with-rsa-2048", "ml-dsa-44-with-rsa-3072"
• "ml-dsa-44-with-ec-P-256"
• "ml-dsa-65-with-ec-P-384"
• "ml-dsa-65-with-rsa-3072", "ml-dsa-65-with-rsa-4096"
• "ml-dsa-87-with-ec-P-384"
• "ml-dsa-87-with-ed448"

Default: "ec:P-256".

pkcs11_uri: Option<String>

PKCS#11 URI for HSM-backed CA key.

When set, the CA private key is accessed via the configured HSM ([hsm] section) instead of reading key_file from disk.

Example: "pkcs11:token=kipuka;object=ca-key;type=private"

validity_days: u32

Default validity period for issued end-entity certificates (days).

CA/B Forum BR §6.3.2 limits publicly-trusted certificates to 398 days (roughly 13 months). Private CAs may use longer periods.

Default: 365 days.

hash_algorithm: String

Hash algorithm for certificate and CRL signing.

Supported: "sha256", "sha384", "sha512". Default: "sha256".

crl_url: Option<String>

CRL distribution point URL embedded in issued certificates.

ocsp_url: Option<String>

OCSP responder URL embedded in issued certificates.

common_name: String

Subject Common Name for auto-generated CA certificates.

organization: String

Subject Organization for auto-generated CA certificates.

crl_lifetime_secs: u64

CRL validity period in seconds.

Determines the nextUpdate field in generated CRLs. Default: 86400 (24 hours).

cab_forum_compliant: bool

CA/B Forum compliance mode.

When true, the server enforces:

• Maximum 398-day end-entity certificate validity
• Required key usage and extended key usage extensions
• Minimum RSA 2048-bit key size in CSRs

Implementations

impl CaConfig

pub fn is_hsm_backed(&self) -> bool

Returns true when this CA uses an HSM-backed key via PKCS#11.

Trait Implementations

impl Clone for CaConfig

fn clone(&self) -> CaConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for CaConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for CaConfig

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.