Skip to main content

DogtagClient

kipuka_dogtag::client

Struct DogtagClient 

Source 
pub struct DogtagClient { /* private fields */ }
Expand description

HTTP client for Dogtag CA REST API operations.

Wraps a reqwest::Client configured with mTLS agent credentials for authenticating to the Dogtag PKI REST API. All methods perform automatic retry on transient failures (HTTP 5xx and connection errors).

§Construction

Use DogtagClient::new with a DogtagConfig to build a client. The agent certificate and key files are read during construction and the TLS identity is established once for the lifetime of the client.

§Thread Safety

DogtagClient is Send + Sync and can be shared across async tasks via Arc<DogtagClient>.

Implementations§

Source§

impl DogtagClient

Source

pub async fn get_certificate(&self, serial: &str) -> DogtagResult<CertInfo>

Retrieve a single certificate by serial number.

Sends GET /ca/rest/certs/{serial}. The serial number should be the hex-encoded certificate serial (e.g., “0x1” or “1”).

Source

pub async fn revoke_certificate( &self, serial: &str, reason: RevocationReason, ) -> DogtagResult<()>

Revoke a certificate by serial number.

Sends POST /ca/rest/agent/certs/{serial}/revoke with the specified revocation reason. Requires agent-level authentication (mTLS with an agent certificate).

The revocation reason code follows RFC 5280 S5.3.1.

Source

pub async fn list_certificates( &self, filter: CertFilter, ) -> DogtagResult<Vec<CertInfo>>

List certificates matching the given filter.

Sends GET /ca/rest/certs with query parameters derived from the CertFilter. Supports pagination via start and size fields.

Source§

impl DogtagClient

Source

pub fn new(config: &DogtagConfig) -> DogtagResult<Self>

Create a new Dogtag client from configuration.

Reads the agent certificate, key, and CA certificate files to configure mTLS. Returns an error if any file cannot be read or if the TLS identity cannot be constructed.

Source

pub async fn health_check(&self) -> DogtagResult<bool>

Check Dogtag CA health by querying the info endpoint.

Sends GET /ca/rest/info and returns true if the CA responds with HTTP 200.

Source

pub fn base_url(&self) -> &str

Return the base URL (for pool routing).

Source§

impl DogtagClient

Source

pub async fn submit_cmc_request(&self, cmc_der: &[u8]) -> DogtagResult<Vec<u8>>

Submit a Full CMC request to Dogtag.

Sends POST /ca/ee/ca/profileSubmitCMCFull with the raw CMC request bytes (DER-encoded CMS/PKCS#7). Returns the CMC response bytes for direct relay to the EST client.

This is a pure passthrough: kipuka’s /fullcmc endpoint receives a CMC request from the EST client and forwards it to Dogtag without interpretation. The response is similarly relayed back.

§Content Types
  • Request: application/pkcs7-mime (CMC request, DER)
  • Response: application/pkcs7-mime (CMC response, DER)
Source§

impl DogtagClient

Source

pub async fn enroll_certificate( &self, csr_pem: &str, profile_id: &str, ) -> DogtagResult<EnrollResult>

Enroll a certificate using a PKCS#10 CSR and enrollment profile.

Sends POST /ca/rest/certrequests with the CSR embedded in the specified enrollment profile. The profile controls certificate extensions, key usage, validity period, and approval workflow.

§Arguments
  • csr_pem - PEM-encoded PKCS#10 certificate signing request.
  • profile_id - Dogtag enrollment profile ID (e.g., “caServerCert”).
§Returns

An EnrollResult containing the request ID, status, and the DER-encoded certificate if the profile uses auto-approval. If the profile requires agent approval, the status will be EnrollStatus::Pending and the certificate will be None.

Source

pub async fn get_enrollment_status( &self, request_id: &str, ) -> DogtagResult<EnrollResult>

Poll the status of an enrollment request.

Sends GET /ca/rest/certrequests/{request_id} to check whether a pending enrollment has been approved or rejected. Used for EST Disconnected mode (RFC 7030 S4.4.2) where the CA requires out-of-band approval before issuing the certificate.

Source§

impl DogtagClient

Source

pub async fn list_profiles(&self) -> DogtagResult<Vec<ProfileInfo>>

List all enrollment profiles.

Sends GET /ca/rest/profiles and returns summary information for each profile. Only enabled and visible profiles are typically relevant for EST enrollment.

Source

pub async fn get_profile(&self, id: &str) -> DogtagResult<ProfileDetail>

Get detailed profile definition by ID.

Sends GET /ca/rest/profiles/{id} and returns the full profile definition including policy sets, constraints, and defaults.

Source

pub async fn get_profile_constraints( &self, id: &str, ) -> DogtagResult<ProfileConstraints>

Extract CSR-relevant constraints from a profile.

Parses the profile’s policy sets to extract key type constraints, key usage extensions, and subject DN requirements. The returned ProfileConstraints can be translated into EST CSR attributes for the /csrattrs endpoint.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> PolicyExt for T
where T: ?Sized,

§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns [Action::Follow] only if self and other return Action::Follow. Read more
§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns [Action::Follow] if either self or other returns Action::Follow. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more