DeTLS is a command-line tool and Rust library for managing Ed25519-based X.509 certificates for mutual TLS (mTLS) authentication. It enables users to generate self-hosted HTTPS certificates using Solana-compatible Ed25519 keys.
- Ed25519 Key Management: Generate, import, export, and manage Ed25519 keypairs
- Encrypted Storage: Keys are encrypted with password-based encryption (Argon2 + AES-GCM)
- Certificate Generation: Create Root CA, Intermediate CA, and end-entity certificates
- Two-Level CA Hierarchy: Support for Root CA → Intermediate CA → End-entity certificate chains
- Pure Rust: Built with Rustls for TLS, no OpenSSL dependency
- Functional Design: Composable functions with comprehensive error handling
- CLI Interface: User-friendly command-line interface with interactive password prompts
The project is structured into several modules:
crypto/: Ed25519 operations and password-based encryptionstorage/: Encrypted keystore with alias managementcert/: X.509 certificate generation (Root CA, Intermediate CA, End-entity)net/: mTLS client configuration (foundation for future expansion)error: Comprehensive error types with no panics
cargo build --releaseThe binary will be available at target/release/detls.
Generate a new Ed25519 keypair:
detls key generate --alias my-keyImport an existing key (from hex):
detls key import --alias imported-key --hex-key "HEXADECIMAL_KEY_HERE"List all keys:
detls key listExport a key:
detls key export --alias my-key
# This will output the key in hexadecimal formatDelete a key:
detls key delete --alias my-keyCreate a Root CA certificate:
detls cert create-root \
--key-alias my-key \
--subject "CN=My Root CA,O=My Organization" \
--output root-ca.pem \
--validity-days 3650Create an Intermediate CA certificate:
detls cert create-intermediate \
--root-key root-key \
--root-cert root-ca.pem \
--key-alias inter-key \
--subject "CN=Intermediate CA,O=My Organization" \
--output intermediate-ca.pem \
--validity-days 1825Create an end-entity certificate (can use either Root CA or Intermediate CA for signing):
# Option A: Signed by Intermediate CA
detls cert create-entity \
--inter-key inter-key \
--inter-cert intermediate-ca.pem \
--key-alias entity-key \
--subject "CN=example.com,O=My Organization" \
--output entity.pem \
--validity-days 365
# Option B: Signed directly by Root CA
detls cert create-entity \
--inter-key root-key \
--inter-cert root-ca.pem \
--key-alias entity-key \
--subject "CN=example.com,O=My Organization" \
--output entity.pem \
--validity-days 365All commands support a --path flag to specify a custom keystore location:
detls key generate --alias my-key --path /path/to/keystoreDeTLS can also be used as a library:
use detls::crypto::ed25519::generate_ed25519_keypair;
use detls::cert::x509_signing::{create_self_signed_ca, sign_certificate};
use detls::storage::keystore::{create_keystore, import_key};
use std::path::Path;
fn main() -> detls::error::Result<()> {
// Generate keypairs
let root_keypair = generate_ed25519_keypair()?;
let client_keypair = generate_ed25519_keypair()?;
// Create/load keystore
let mut keystore = create_keystore(Path::new("."))?;
// Import keys with password
import_key(&mut keystore, "root".to_string(), &root_keypair.secret_bytes(), "password")?;
import_key(&mut keystore, "client".to_string(), &client_keypair.secret_bytes(), "password")?;
// Create a Root CA certificate (self-signed)
let root_ca_pem = create_self_signed_ca(&root_keypair, "CN=My Root CA", 365)?;
// Sign a client certificate with the Root CA
let client_cert_pem = sign_certificate(
&client_keypair,
"CN=Client 1",
&root_keypair,
&root_ca_pem,
false, // Not a CA
365,
)?;
println!("Root CA:\n{}", root_ca_pem);
println!("Client Certificate:\n{}", client_cert_pem);
Ok(())
}Run all tests:
cargo testRun tests for a specific module:
cargo test crypto::
cargo test storage::
cargo test cert::The project follows Rust best practices:
- No unwrap/panic: All functions return
Resulttypes - Comprehensive tests: Unit tests for all modules with >80% coverage
- Doc tests: Examples in documentation are tested
- Formatted: Code is formatted with
cargo fmt - Linted: Passes
cargo clippychecks
Run quality checks:
cargo fmt
cargo clippy
cargo testThe library architecture is designed to be WASM-compatible, using pure Rust implementations where possible. However, some dependencies (like ring used by Rustls) have C code that requires special handling for WASM compilation. For full WASM support, you may need to:
- Use alternative crypto backends (pure Rust implementations)
- Enable appropriate feature flags for WASM targets
- Use conditional compilation for platform-specific code
- Key Storage: Private keys are encrypted using Argon2 for key derivation and AES-256-GCM for encryption
- Password Security: Passwords are prompted interactively and never stored
- Ed25519: Uses the well-audited
ed25519-dalekcrate - No Panics: All error cases are handled gracefully
This project strictly follows Test-Driven Development (TDD):
- ✅ No Placeholder Code: All unimplemented features return explicit errors
- ✅ Tests First: Every feature has tests written before implementation
- ✅ No Panics: All functions return
Resulttypes with proper error handling - ✅ Comprehensive Testing: All 115 tests passing (82 unit + 8 integration + 25 doc tests)
For detailed API documentation, run cargo doc --open.
✅ Proper X.509 certificate signing implemented (using x509-cert)
Implementation: Added cert/x509_signing.rs module with full certificate chain signing support
Features:
- Root CA self-signing (standard PKI practice)
- Intermediate CA signed by Root CA
- End-entity certificates signed by any CA (Root or Intermediate)
- Proper issuer/subject relationships in certificate chains
- Compliant with enterprise PKI standards
Usage:
# 1. Generate keys for CA hierarchy
detls key generate --alias root-key
detls key generate --alias inter-key
detls key generate --alias client-key
# 2. Create Root CA (self-signed - standard practice)
detls cert create-root \
--key-alias root-key \
--subject "CN=My Root CA" \
--output root-ca.pem
# 3. Create Intermediate CA (signed by Root CA)
detls cert create-intermediate \
--key-alias inter-key \
--root-key root-key \
--root-cert root-ca.pem \
--subject "CN=Intermediate CA" \
--output inter-ca.pem
# 4. Create client certificate (signed by Intermediate CA)
detls cert create-entity \
--key-alias client-key \
--inter-key inter-key \
--inter-cert inter-ca.pem \
--subject "CN=Client 1" \
--output client.pemReason: ring (used by Rustls) contains C code
Workaround: Use wasm32-wasi target instead of wasm32-unknown-unknown, or make network module optional with feature flags
Following TDD Principles: All limitations are clearly documented and return appropriate errors. No placeholder implementations exist in the codebase.
This project follows strict Test-Driven Development (TDD) methodology:
- Tests First: All features have tests written before implementation
- No Placeholders: Unimplemented features return explicit errors, not fake "working" code
- Zero Panics: All library code returns
Resulttypes - no.unwrap()or.expect() - Functional Style: Pure functions composed to build complex behaviors
- Comprehensive Error Handling: Complete
DeTlsErrorenum covering all failure modes
# Build
cargo build --release
# Generate a key
cargo run --release -- key generate --alias my-key
# Create a Root CA certificate
cargo run --release -- cert create-root \
--key-alias my-key \
--subject "CN=My Root CA,O=My Org" \
--output root-ca.pem
# List all keys
cargo run --release -- key list
# Make an mTLS request
cargo run --release -- curl \
--url https://example.com \
--cert root-ca.pem \
--key-alias my-key \
--ca-cert root-ca.pemThis project follows standard open-source practices. Please add your preferred license.
Contributions are welcome! Please ensure:
- All tests pass
- Code is formatted (
cargo fmt) - No clippy warnings (
cargo clippy) - New features have tests and documentation