Self-Signed Certificate Utilities
| (require racket-self-signed-cert) | |
| package: racket-self-signed-cert | |
This module provides utilities for generating a self-signed X.509 certificate together with a corresponding private key.
The implementation uses the openssl bindings that are distributed with Racket. In other words, the module relies on the OpenSSL library that ships with Racket and accesses it via Racket’s FFI interface.
The generated certificate and key are returned in PEM format and can be used directly with Racket networking libraries such as openssl or TLS-enabled servers.
1 OpenSSL Integration
The module dynamically integrates with the OpenSSL library that is present in the running Racket installation.
During initialization the module performs the following steps:
It detects the major version of the OpenSSL library available through Racket’s openssl bindings.
If OpenSSL version 3 is detected, the module raises an error because the required FFI bindings currently support only the OpenSSL 1.x API.
The module determines which native OpenSSL library must be loaded for FFI access. This allows the implementation to bind directly to the required cryptographic primitives.
Platform-specific loading of the native OpenSSL library is performed at runtime.
The implementation has been tested on the following platforms:
Windows
Linux
Other platforms may work provided that a compatible OpenSSL library is available through Racket.
2 Data Structures
struct
(struct self-signed-cert (private-key certificate) #:extra-constructor-name make-self-signed-cert) private-key : string? certificate : string?
Both fields contain PEM encoded text.
private-key — the RSA private key in PEM format.
certificate — the X.509 certificate in PEM format.
Instances of this structure are returned by generate-self-signed-cert.
3 Accessors
procedure
(private-key ssc) → string?
ssc : self-signed-cert?
The value is a PEM encoded RSA private key suitable for use with TLS libraries or for writing to disk.
procedure
(certificate ssc) → string?
ssc : self-signed-cert?
The value is a PEM encoded certificate.
This name is provided for situations where the API user prefers the term “X.509 certificate”.
4 Certificate Generation
procedure
(generate-self-signed-cert bits duration-in-days hosts country company) → self-signed-cert? bits : integer? duration-in-days : integer? hosts : (or/c is-ip? is-dns? list-of-hosts?) country : string? company : string?
The implementation uses the OpenSSL functionality provided through Racket’s openssl library.
4.1 Arguments
bits — size of the RSA key in bits (for example 2048 or 4096).
duration-in-days — number of days for which the certificate remains valid.
hosts — a host name, IP address, or a list of such values. These values are written into the certificate’s Subject Alternative Name extension.
country — value for the certificate subject’s C (country) attribute.
company — value for the certificate subject’s O (organization) attribute.
The first host in the list is used as the certificate’s Common Name (CN).
4.2 Result
Returns a self-signed-cert structure containing:
the private RSA key
the corresponding self-signed X.509 certificate
Both values are returned as PEM encoded strings.
4.3 Example
(define cert (generate-self-signed-cert 2048 365 '("localhost" "127.0.0.1" "*.local.lan") "NL" "Example Company")) (private-key cert) (certificate cert)
The returned values can be written to files or supplied directly to TLS-enabled servers.
5 Notes
This module relies on the OpenSSL library distributed with Racket and accessed through the openssl package.
Certificates are generated entirely in memory and returned as PEM strings.
The Subject Alternative Name (SAN) extension is automatically populated from the provided host names and IP addresses.