UNPKG

selfsigned

Version:

Generate self signed certificates private and public keys

github.com/jfromaniello/selfsigned

jfromaniello/selfsigned

277 lines (262 loc) 6.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
declare enum ASN1Class { UNIVERSAL = 0x00, APPLICATION = 0x40, CONTEXT_SPECIFIC = 0x80, PRIVATE = 0xc0, } interface CertificateFieldOptions { name?: string | undefined; type?: string | undefined; shortName?: string | undefined; } interface CertificateField extends CertificateFieldOptions { valueConstructed?: boolean | undefined; valueTagClass?: ASN1Class | undefined; value?: any[] | string | undefined; extensions?: any[] | undefined; } /** * Subject Alternative Name entry types: * - 1: email (rfc822Name) * - 2: DNS name * - 6: URI * - 7: IP address */ declare interface SubjectAltNameEntry { /** * Type of the alternative name: * - 1: email (rfc822Name) * - 2: DNS name * - 6: URI * - 7: IP address */ type: 1 | 2 | 6 | 7; /** Value for types 1, 2, 6 (email, DNS, URI) */ value?: string; /** IP address for type 7 (IPv4 or IPv6) */ ip?: string; } declare interface BasicConstraintsExtension { name: 'basicConstraints'; /** Is this a CA certificate? */ cA?: boolean; /** Maximum depth of valid certificate chain */ pathLenConstraint?: number; /** Mark extension as critical */ critical?: boolean; } declare interface KeyUsageExtension { name: 'keyUsage'; digitalSignature?: boolean; nonRepudiation?: boolean; /** Also known as contentCommitment */ contentCommitment?: boolean; keyEncipherment?: boolean; dataEncipherment?: boolean; keyAgreement?: boolean; /** For CA certificates */ keyCertSign?: boolean; /** For CA certificates */ cRLSign?: boolean; encipherOnly?: boolean; decipherOnly?: boolean; /** Mark extension as critical */ critical?: boolean; } declare interface ExtKeyUsageExtension { name: 'extKeyUsage'; /** TLS server authentication */ serverAuth?: boolean; /** TLS client authentication */ clientAuth?: boolean; codeSigning?: boolean; emailProtection?: boolean; timeStamping?: boolean; /** Mark extension as critical */ critical?: boolean; } declare interface SubjectAltNameExtension { name: 'subjectAltName'; altNames: SubjectAltNameEntry[]; /** Mark extension as critical */ critical?: boolean; } declare type CertificateExtension = | BasicConstraintsExtension | KeyUsageExtension | ExtKeyUsageExtension | SubjectAltNameExtension; declare interface ClientCertificateOptions { /** * Key size for the client certificate in bits (RSA only) * @default 2048 */ keySize?: number /** * Key type for client certificate * @default inherits from main keyType */ keyType?: 'rsa' | 'ec' /** * Elliptic curve for client certificate (EC only) * @default "P-256" */ curve?: 'P-256' | 'P-384' | 'P-521' /** * Signature algorithm for client certificate * @default inherits from main algorithm or "sha1" */ algorithm?: string /** * Client certificate's common name * @default "John Doe jdoe123" */ cn?: string /** * The date before which the client certificate should not be valid * @default now */ notBeforeDate?: Date /** * The date after which the client certificate should not be valid * @default notBeforeDate + 1 year */ notAfterDate?: Date } declare interface SelfsignedOptions { /** * The date before which the certificate should not be valid * * @default now */ notBeforeDate?: Date /** * The date after which the certificate should not be valid * * @default notBeforeDate + 365 days */ notAfterDate?: Date /** * Key type: "rsa" or "ec" (elliptic curve) * @default "rsa" */ keyType?: 'rsa' | 'ec' /** * the size for the private key in bits (RSA only) * @default 2048 */ keySize?: number /** * The elliptic curve to use (EC only): "P-256", "P-384", or "P-521" * @default "P-256" */ curve?: 'P-256' | 'P-384' | 'P-521' /** * Certificate extensions. Supports basicConstraints, keyUsage, extKeyUsage, and subjectAltName. * If not provided, defaults are used including DNS SAN matching commonName. * @example * ```typescript * extensions: [ * { name: 'basicConstraints', cA: false }, * { name: 'keyUsage', digitalSignature: true, keyEncipherment: true }, * { name: 'subjectAltName', altNames: [ * { type: 2, value: 'localhost' }, * { type: 7, ip: '127.0.0.1' }, * { type: 7, ip: '::1' } * ]} * ] * ``` */ extensions?: CertificateExtension[]; /** * The signature algorithm: sha256, sha384, sha512 or sha1 * @default "sha1" */ algorithm?: string /** * include PKCS#7 as part of the output * @default false */ pkcs7?: boolean /** * generate client cert signed by the original key * Can be `true` for defaults or an options object * @default false */ clientCertificate?: boolean | ClientCertificateOptions /** * client certificate's common name * @default "John Doe jdoe123" * @deprecated Use clientCertificate.cn instead */ clientCertificateCN?: string /** * the size for the client private key in bits * @default 2048 * @deprecated Use clientCertificate.keySize instead */ clientCertificateKeySize?: number /** * existing key pair to use instead of generating new keys */ keyPair?: { privateKey: string publicKey: string } /** * CA certificate and key for signing (if not provided, generates self-signed) */ ca?: { /** CA private key in PEM format */ key: string /** CA certificate in PEM format */ cert: string } /** * Passphrase to encrypt the private key (PKCS#8 encrypted format) * When provided, the private key will be encrypted using AES-256-CBC */ passphrase?: string } declare interface GenerateResult { private: string public: string cert: string fingerprint: string pkcs7?: string clientprivate?: string clientpublic?: string clientcert?: string clientpkcs7?: string } /** * Generate a certificate (async only) * * @param attrs Certificate attributes * @param opts Generation options * @returns Promise that resolves with certificate data * * @example * ```typescript * // Self-signed certificate * const pems = await generate(); * * const pems = await generate([{ name: 'commonName', value: 'example.com' }]); * * const pems = await generate(null, { * keySize: 2048, * algorithm: 'sha256' * }); * * // CA-signed certificate * const pems = await generate([{ name: 'commonName', value: 'localhost' }], { * algorithm: 'sha256', * ca: { * key: fs.readFileSync('/path/to/ca.key', 'utf8'), * cert: fs.readFileSync('/path/to/ca.crt', 'utf8') * } * }); * ``` */ export declare function generate( attrs?: CertificateField[], opts?: SelfsignedOptions ): Promise<GenerateResult>