node-opcua-pki
Advanced tools
$ npm install -g node-opcua-pki
$ crypto_create_CA --help
npx node-opcua-pki --help
npx node-opcua-pki certificate --help
Note: see https://reference.opcfoundation.org/GDS/docs/F.1/
| command | Help |
|---|---|
| demo | create default certificate for node-opcua demos |
| createCA | create a Certificate Authority |
| createPKI | create a Public Key Infrastructure |
| certificate | create a new certificate |
| csr | create a new certificate signing request(CSR) |
| sign | sign a CSR and generate a certificate |
| revoke | revoke an existing certificate |
| dump | display a certificate |
| toder | convert a certificate to a DER format |
| fingerprint | print the certificate fingerprint |
Options: --help display help
node-opcua-pki createPKI
| option | description | type | default | | -------------------------- | --------------------------------------------- | --------- | ------------------------------- | ----- | -------- | --------------- | | -r, --root | the location of the Certificate folder | [string] | [default: "{CWD}/certificates"] | | --PKIFolder | the location of the Public Key Infrastructure | [string] | [default: "{root}/PKI"] | | -k, --keySize, --keyLength | the private key size in bits (1024 | 2048 | 3072 | 4096) | [number] | [default: 2048] | | -s, --silent | minimize output | [boolean] | [default: false] |
The result
└─ 📂certificates
└─📂PKI
├─📂issuers
│ ├─📂certs contains known Certificate Authorities' certificates
│ └─📂crl contains Certificate Revocation List associates with the CA Certificates
├─📂own
│ ├─📂certs where to store generated public certificates generated for the private key.
│ └─📂private
│ └─🔐private_key.pem the private key in PEM format
├─📂rejected contains certificates that have been rejected.
└─📂trusted
├─📂certs contains the X.509 v3 Certificates that are trusted.
└─📂crl contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
Options: | option | description | type | default | |---------------------|-------------------------------------------------|--------|----------------------------------- -----------| |-a, --applicationUri |the application URI |[string]|[default: "urn:{hostname}:Node-OPCUA-Server"] | |-o, --output | the name of the generated signing_request |[string]|[default: "my_certificate_signing_request.csr"]| |--dns | the list of valid domain name (comma separated) |[string]|[default: "{hostname}"] | |--ip | the list of valid IPs (comma separated) |[string]|[default: ""] | |--subject | the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )|[string]| [default: "/CN=Certificate"]| |-r, --root | the location of the Certificate folder |[string]|[default: "{CWD}/certificates"] | |--PKIFolder | the location of the Public Key Infrastructure |[string]|[default: "{root}/PKI"] |
| default value | ||
|---|---|---|
--subject | the CA certificate subject | "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA" |
--root, -r | the location of the Certificate folder | "{CWD}/certificates" |
--CAFolder, -c | the location of the Certificate Authority folder | "{root}/CA"] |
--keySize, -k, --keyLength | the private key size in bits (1024 | 2048 ,3072, 4096 ,2048 |
The result
└─ 📂certificates
└─📂PKI
├─📂CA Certificate Authority
├─📂rejected The Certificate store contains certificates that have been rejected.
│ ├─📂certs Contains the X.509 v3 Certificates which have been rejected.
├─📂trusted The Certificate store contains trusted Certificates.
│ ├─📂certs Contains the X.509 v3 Certificates that are trusted.
│ └─📂crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
├─📂issuers The Certificate store contains the CA Certificates needed for validation.
│ ├─📂certs Contains the X.509 v3 Certificates that are needed for validation.
│ ├─📂crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
| option | description | type | default |
|---|---|---|---|
| -i, --csr | the csr | [string] [required] | [default: "my_certificate_signing_request.csr"] |
| -o, --output | the name of the generated certificate | [string] [required] | [default: "my_certificate.pem"] |
| -v, --validity | the certificate validity in days | [number] | [default: 365] |
| -r, --root | the location of the Certificate folder | [string] | [default: "{CWD}/certificates"] |
| -c, --CAFolder | the location of the Certificate Authority folder | [string] | [default: "{root}/CA"] |
this command creates a bunch of certificates with various characteristics for demo and testing purposes.
crypto_create_CA demo [--dev] [--silent] [--clean]
Options:
| --help | display help | |
| --dev | create all sort of fancy certificates for dev testing purposes | |
| --clean | Purge existing directory [use with care!] | |
| --silent, -s | minimize output | |
| --root, -r | the location of the Certificate folder | {CWD}/certificates |
Example:
$crypto_create_CA demo --dev
$crypto_create_CA certificate --help
Options:
| --help | display help | |
| --applicationUri, -a | the application URI | urn:{hostname}:Node-OPCUA-Server |
| --output, -o | the name of the generated certificate | my_certificate.pem |
| --selfSigned, -s | if true, the certificate will be self-signed | false |
| --validity, -v | the certificate validity in days | |
| --silent, -s | minimize output | |
| --root, -r | the location of the Certificate folder | {CWD}/certificates |
| --CAFolder, -c | the location of the Certificate Authority folder | {root}/CA |
| --PKIFolder, -p | the location of the Public Key Infrastructure | {root}/PKI |
| --privateKey, -p | optional:the private key to use to generate certificate | |
| --subject | the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello ) |
This module requires OpenSSL or LibreSSL to be installed.
On Windows, a version of OpenSSL is automatically downloaded and installed at run time, if not present. You will need an internet connection open.
You need to install it on Linux, (or in your docker image), or on MacOS
apt install openssl
or alpine:
apk add openssl
NodeOPCUA PKI is developed and maintained by sterfive.com.
To get professional support, consider subscribing to the node-opcua membership community:
or contact sterfive for dedicated consulting and more advanced support.
If you like node-opcua-pki and if you are relying on it in one of your projects, please consider becoming a backer and sponsoring us, this will help us to maintain a high-quality stack and constant evolution of this module.
If your company would like to participate and influence the development of future versions of node-opcua please contact sterfive.
FAQs
PKI management for node-opcua
We found that node-opcua-pki demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.
