From 86658f978112c0f4271fb8957ab9da6c435ea5aa Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Mon, 25 Mar 2024 15:17:14 -0400
Subject: [PATCH] docs: update CHANGELOG for 0.13.0

---
 rcgen/CHANGELOG.md | 94 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/rcgen/CHANGELOG.md b/rcgen/CHANGELOG.md
index 560b3bca..d1542d98 100644
--- a/rcgen/CHANGELOG.md
+++ b/rcgen/CHANGELOG.md
@@ -1,6 +1,100 @@
 
 # Changes
 
+## Release 0.13.0 - March XX, 2024
+
+Added:
+
+- Support has been added for specifying custom "other" OIDs in extended key
+  usage. Contributed by [Tudyx](https://github.com/tudyx).
+
+- Support has been added for Subject Alternative Name (SAN) names of type
+  `OtherName`. Contributed by [Tudyx](https://github.com/tudyx).
+
+- Support has been added for building rcgen _without_ cryptography by omitting
+  the new (default-enabled) `crypto` feature flag. Contributed by
+  [corrideat](https://github.com/corrideat).
+
+- RSA key generation support has been added. This support requires using the
+  `aws-lc-rs` feature. By default using `KeyPair::generate` with
+  an RSA `SignatureAlgorithm` will generate an RSA 2048 keypair. See
+  `KeyPair::generate_rsa_for` for support for RSA 2048, 3072 and 4096 key sizes.
+
+- Support for ECDSA P521 signatures and key generation has been added when using
+  the `aws-lc-rs` feature. Contributed by [Alvenix](https://github.com/alvenix).
+
+- Support for using `aws-lc-rs` in `fips` mode can now be activated by using the
+  `fips` feature in combination with the `aws-lc-rs` feature. Contributed by
+  [BiagioFesta](https://github.com/biagiofesta).
+
+- Support for loading private keys that may be PKCS8, PKCS1, or SEC1 has been
+  added when using the `aws-lc-rs` feature. See
+  `KeyPair::from_pem_and_sign_algo` and `KeyPair::from_der_and_sign_algo` for
+  more information. Contributed by [Alvenix](https://github.com/alvenix).
+
+- A small command-line tool for certificate generation (`rustls-cert-gen`) was
+  added. Contributed by [tbro](https://github.com/tbro).
+
+Breaking changes:
+
+- Throughout the API DER inputs are now represented using types from the Rustls
+  `pki-types` crate, e.g. `PrivateKeyDer`, `CertificateDer`,
+  `CertificateSigningRequestDer`. Contributed by
+  [Tudyx](https://github.com/tudyx).
+
+- String types used in `SanType` and `DnValue` enums for non-UTF8 string types
+  have been replaced with more specific types that prevent representation of
+  illegal values. E.g. `Ia5String`, `BmpString`, `PrintableString`,
+  `TeletexString`, and `UniversalString`. Contributed by
+  [Tudyx](https://github.com/tudyx).
+
+- `KeyPair` generation has been separted from certificate issuance. The
+  `Certificate::get_key_pair`, `Certificate::serialize_private_key_der` and
+  `Certificate::serialize_private_key_pem` fns have been removed. The
+  `Certificate` and `CertificateParams` types now only holds public data.
+  Issuance APIs now expect to be given both a `Certificate` and a signing
+  `KeyPair`, and the caller must generate their own `KeyPair` up-front using
+  `KeyPair::generate`, `KeyPair::generate_for`, or `KeyPair::generate_rsa_for`.
+
+- `KeyPair::from_pem_and_sign_algo` has been renamed to
+  `KeyPair::from_pkcs8_pem_and_sign_algo` to emphasize the input DER should be
+  in PKCS8 format.
+
+- The issuance API has been restructured to better match user expectation and to
+  avoid regenerating data when encoding to both DER and PEM.
+
+  Previously one created a `Certificate` with `Certificate::from_params`, and
+  serialized the `Certificate` with `Certificate::serialize_der`,
+  `Certificate::serialize_der_with_signer`, `Certificate::serialize_pem` and
+  `Certificate::serialize_pem_with_signer`. These functions have been removed.
+
+  With the updated API you create a `Certificate` directly from
+  `CertificateParams` using `CertificateParams::self_signed` or
+  `CertificateParams::signed_by`. You can serialize the `Certificate` to PEM or
+  DER using `Certificate::der()` or `Certificate::pem`.
+
+- Certificate signing request creation and issuance has been reworked for
+  consistency with the updated API.
+
+  Previously a CSR could be created from a `Certificate` using
+  `Certificate::serialize_request_der` or `Certificate::serialize_request_pem`.
+  This is now done using `CertificateParams::serialize_request`. PEM/DER
+  serialization of the `CertificateSigningRequest` can be done with
+  `CertificateSigningRequest::der` or `CertificateSigningRequest::pem`.
+
+  Previously issuance of a certificate from a CSR could be done using
+  `CertificateSigningRequest::serialize_der_with_signer` or
+  `CertificateSigningRequest::serialize_pem_with_signer`. This is now done using
+  `CertificateSigningRequestParams::signed_by`, and serialization to DER/PEM can
+  be done by calling `Certificate::pem` or `Certificate::der` on the resulting
+  `Certificate`.
+
+- Method names starting with `get_` have been renamed to match Rust convention:
+  `CertificateRevocationList::get_params` -> `params`
+  `Certificate::get_params` -> `params`
+  `Certificate::get_key_identifier` -> `Certificate::key_identifier`
+  `Certificate::get_times` -> `Certificate::times`
+
 ## Release 0.12.1 - January 25th, 2024
 
 - RFC 5280 specifies that a serial number must not be larger than 20 octets in