rustls-native-certs allows rustls to use the platform's native certificate store when operating as a TLS client.
This is supported on Windows, macOS and Linux:
schannelcrate is used to access the Windows certificate store APIs.
security-frameworkcrate is used to access the keystore APIs.
openssl-probecrate is used to discover the filename of the system CA bundle.
rustls-native-certs is currently in development.
If you'd like to help out, please see CONTRIBUTING.md.
This library exposes a single function with this signature:
pub fn load_native_certs() -> Result<rustls::RootCertStore, (Option<rustls::RootCertStore>, std::io::Error)>
On success, this returns a
rustls::RootCertStore loaded with a snapshop of the root certificates found on this platform. This function fails in a platform-specific way, expressed in a
When an error is returned, optionally a
rustls::RootCertStore is also returned containing the certificates which could be loaded. This means callers can opt-in to “best-effort” behaviour even in the presence of invalid certificates.
This function can be expensive: on some platforms it involves loading and parsing a ~300KB disk file. It's therefore prudent to call this sparingly.
(Background: webpki-roots is a crate that compiles-in Mozilla's set of root certificates.)
This crate is preferable in many ways to webpki-roots. To sum up the pros and cons:
ca-certificatespackage on debian-based Linux distributions is poor. At the time of writing, this ships many certificates not included in the Mozilla set, either because they failed an audit and were withdrawn or were removed for mississuance.
rustls-native-certs is distributed under the following three licenses:
These are included as LICENSE-APACHE, LICENSE-MIT and LICENSE-ISC respectively. You may use this software under the terms of any of these licenses, at your option.