Unable to use self signed certificates with tokio-rustls

Question

I'm trying to get the examples under https://github.com/quininer/tokio-rustls/tree/master/examples working. I am using self signed key/cert, generated using the openssl tool.

But the handshake fails with a webpki error: Error: Custom { kind: InvalidData, error: WebPKIError(CAUsedAsEndEntity) }. Found this related thread: https://github.com/briansmith/webpki/issues/114, but could not tell the current status of this issue

We probably need to live with self signed certs for some time. Is there any workaround, or any other options here?

Thanks.

Answer 1

You probably used a CA certificate as a client certificate.

Create a CA:

openssl req -x509 -noenc -subj '/CN=example.com' -newkey rsa -keyout root.key -out root.crt

Create a certificate signing request (CSR):

openssl req -noenc -newkey rsa -keyout client.key -out client.csr -subj '/CN=example.com' -addext subjectAltName=DNS:example.com

Sign it using your CA:

openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -days 365 -out client.crt -copy_extensions copy

And then you use the certificate client.crt and the key client.key. And the client should trust your root.crt.

The addext and copy_extensions flag ensure that they generated key is X509v3, otherwise webpki will start complaining. And subjectAltName is required to prevent rustls from complaining.