API is not very clear about how to sign one Certificate with another one.

[vi]

The only mention of signing new certificates I see is serialize_*_with_signer functions.

I am expected to serialize, then immediately deserialize certificate even though there is no intention to save it to file or transmit.

Documentation may be more clear about why signing and serialization are one step. I expected there be something like rcgen::Certificate::from_params_with_signer(params: CertificateParams, ca: &Certificate), so I can sign certificate, then serialize it if needed (or use somehow directly).

[est31]

PRs are welcome, and also open to discuss solutions.

[szguoxz]

This is interesting, are you saying we can't do it yet? I have tried the whole day without success!

[est31]

You can sign certificates with another one. The _with_signer functions are relevant here. You can grep the tests for uses of that function.
E.g.: https://docs.rs/rcgen/0.10.0/rcgen/struct.Certificate.html#method.serialize_der_with_signer

[cpu]

There's a new example for this in #174

I am expected to serialize, then immediately deserialize certificate even though there is no intention to save it to file or transmit.

I believe this is a fairly common API design. E.g. Golang's x509.CreateCertificate function does the same: combining a template and an issuer to create the DER serialization of a signed certificate.

We can leave this issue open if you have any improvements to suggest to the documentation to improve clarity.

[cpu]

I think the new example from #174 and the upcoming CLI tool are probably sufficient to close this. We can revisit if there are other suggestions to make the API clearer.