Create private keys and certificates with node.js
Install with npm
npm install pem
or use yarn
yarn add pem
openssl or libressl already installed on your system/container, without
them pem will not work.
TypeScript declaration files are bundled with the package via types/pem.d.ts. The public API, including the legacy promisified helpers and the CA utility, now has precise typings.
Run yarn test:types to execute the lightweight tsd assertions that guard the definitions.
Here are some examples for creating an SSL key/cert on the fly, and running an HTTPS server on port 443. 443 is the standard HTTPS port, but requires root permissions on most systems. To get around this, you could use a higher port number, like 4300, and use https://localhost:4300 to access your server.
Promise support: Every asynchronous function in
pemstill accepts a Node-style callback and now returns aPromisewhen no callback is provided. The legacypem.promisifiedhelper is deprecated; use the primary exports directly for both callback and promise flows.
var https = require('https')
var pem = require('pem')
pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
if (err) {
throw err
}
https.createServer({ key: keys.clientKey, cert: keys.certificate }, function (req, res) {
res.end('o hai!')
}).listen(443)
})var https = require('https')
var pem = require('pem')
var express = require('express')
pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
if (err) {
throw err
}
var app = express()
app.get('/', function (req, res) {
res.send('o hai!')
})
https.createServer({ key: keys.clientKey, cert: keys.certificate }, app).listen(443)
})const https = require('https')
const pem = require('pem')
async function main() {
const keys = await pem.createCertificate({ days: 1, selfSigned: true })
const server = https.createServer({ key: keys.clientKey, cert: keys.certificate }, (req, res) => {
res.end('o hai!')
})
server.listen(443)
}
main().catch((err) => {
console.error(err)
process.exit(1)
})Please have a look into the API documentation.
All asynchronous functions document below support both callback and promise styles. Invoke them without a callback to
receive a Promise that resolves to the same value that would be passed to the callback.
we had to clean up a bit
Use the CA helper when you already have a certificate authority key pair and want to issue new certificates without rebuilding the PKI state on your own.
const fs = require('fs')
const pem = require('pem')
async function main () {
const ca = new pem.CA({
key: fs.readFileSync('intermediate-ca-key.pem'),
certificate: fs.readFileSync('intermediate-ca-cert.pem'),
chain: [fs.readFileSync('root-ca-cert.pem')]
})
const certificate = await ca.issueCertificate({
commonName: 'service.internal',
altNames: ['service.internal', '10.0.0.5']
})
console.log(certificate.certificate)
}
main().catch(console.error)Where
- key is a PEM encoded private key for your certificate authority (required)
- certificate is the PEM encoded certificate matching
key(required) - chain is an optional array of PEM encoded certificates that should accompany issued certificates (for example a root certificate)
- keyPassword/password is an optional passphrase used to decrypt an encrypted private key
- defaultDays sets a default validity window (in days) that is applied when no custom dates are provided (defaults to
7)
issueCertificate accepts the same options that createCertificate does for CSR generation (for example commonName, altNames, or a custom config). When no csr is supplied a fresh CSR and key pair are created automatically and included in the response.
By default issued certificates are valid starting "now" and expire after defaultDays. You can override this by supplying startDate, endDate, or days. Dates can be JavaScript Date objects, timestamps, ISO strings, or ASN.1 date strings (e.g. 20240101000000Z).
The returned object contains the issued certificate, the CSR that was used, any generated private key, the CA certificate and chain, the serial number used for issuance, and the resolved validity window.
You can specify custom OpenSSL extensions using the config or extFile options for createCertificate (or using csrConfigFile with createCSR).
extFile and csrConfigFile should be paths to the extension files. While config will generate a temporary file from the supplied file contents.
If you specify config then the v3_req section of your config file will be used.
The following would be an example of a Certificate Authority extensions file:
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = Common Name
commonName_max = 64
[v3_req]
basicConstraints = critical,CA:TRUE
While the following would specify subjectAltNames in the resulting certificate:
[req]
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.example.com
DNS.2 = host2.example.com
DNS.3 = host3.example.com
Note that createCertificate and createCSR supports the altNames option which would be easier to use in most cases.
altNames the custom extensions file will not be passed to OpenSSL.
In some systems the openssl executable might not be available by the default name or it is not included in $PATH. In this case you can define the location of the executable yourself as a one time action after you have loaded the pem module:
var pem = require('pem')
pem.config({
pathOpenSSL: '/usr/local/bin/openssl'
})
// do something with the pem moduleFor more details, search in test/pem.spec.js: Create CSR with specialchars config file
If you use special chars like:
-!$%^&*()_+|~=`{}[]:/;<>?,.@#
You should know that the result mey have escaped characters when you read it in your application. Will try to fix this in the future, but not sure.
- Andris Reinman (@andris9) - Initiator of pem
MIT
