18 releases (11 stable)

1.7.0 May 7, 2024
1.5.0 Apr 23, 2024
1.4.1 Mar 27, 2024
1.1.0 Dec 24, 2023
0.2.3 Nov 28, 2023

#88 in Cryptography

Download history 354999/week @ 2024-03-14 413136/week @ 2024-03-21 433925/week @ 2024-03-28 494399/week @ 2024-04-04 552715/week @ 2024-04-11 591529/week @ 2024-04-18 614908/week @ 2024-04-25 662895/week @ 2024-05-02 691097/week @ 2024-05-09 721839/week @ 2024-05-16 738326/week @ 2024-05-23 812009/week @ 2024-05-30 775940/week @ 2024-06-06 811957/week @ 2024-06-13 791645/week @ 2024-06-20 724272/week @ 2024-06-27

3,259,721 downloads per month
Used in 2,288 crates (99 directly)


1.5K SLoC


Build Status Documentation Chat

This crate provides types for representing X.509 certificates, keys and other types as commonly used in the rustls ecosystem. It is intended to be used by crates that need to work with such X.509 types, such as rustls, rustls-webpki, rustls-pemfile, and others.

Some of these crates used to define their own trivial wrappers around DER-encoded bytes. However, in order to avoid inconvenient dependency edges, these were all disconnected. By using a common low-level crate of types with long-term stable API, we hope to avoid the downsides of unnecessary dependency edges while providing interoperability between crates.


  • Interoperability between different crates in the rustls ecosystem
  • Long-term stable API
  • No dependencies
  • Support for no_std contexts, with optional support for alloc


Many of the types defined in this crate represent DER-encoded data. DER is a binary encoding of the ASN.1 format commonly used in web PKI specifications. It is a binary encoding, so it is relatively compact when stored in memory. However, as a binary format, it is not very easy to work with for humans and in contexts where binary data is inconvenient. For this reason, many tools and protocols use a ASCII-based encoding of DER, called PEM. In addition to the base64-encoded DER, PEM objects are delimited by header and footer lines which indicate the type of object contained in the PEM blob.

The rustls-pemfile crate can be used to parse PEM files.

Creating new certificates and keys

This crate does not provide any functionality for creating new certificates or keys. However, the rcgen crate can be used to create new certificates and keys.

Cloning private keys

This crate intentionally does not implement Clone on private key types in order to minimize the exposure of private key data in memory.

If you want to extend the lifetime of a PrivateKeyDer<'_>, consider PrivateKeyDer::clone_key(). Alternatively since these types are immutable, consider wrapping the PrivateKeyDer<'_> in a Rc or an Arc.