node-opcua-pki v4.10.0

node-opcua-pki

Installation

install globally

$ npm install -g node-opcua-pki
$ crypto_create_CA --help

use with npx

npx node-opcua-pki --help
npx node-opcua-pki certificate --help

Note: see https://reference.opcfoundation.org/GDS/docs/F.1/

commands

Options: --help display help

create a PKI

node-opcua-pki createPKI

Options:

The result

└─ 📂certificates
    └─📂PKI
       ├─📂issuers
       │ ├─📂certs                 contains known Certificate Authorities' certificates
       │ └─📂crl                   contains Certificate Revocation List associates with the CA Certificates
       ├─📂own
       │ ├─📂certs                 where to store generated public certificates generated for the private key.
       │ └─📂private
       │    └─🔐private_key.pem  the private key in PEM format
       ├─📂rejected                  contains certificates that have been rejected.
       └─📂trusted
         ├─📂certs                 contains the X.509 v3 Certificates that are trusted.
         └─📂crl                   contains the X.509 v3 CRLs for any Certificates in the ./certs directory.

create a Certificate Signing Request (CSR)

Options: | option | description | type | default | |---------------------|-------------------------------------------------|--------|-----------------------------------------------| |-a, --applicationUri |the application URI |string|default: "urn:{hostname}:Node-OPCUA-Server" | |-o, --output | the name of the generated signing_request |string|default: "my_certificate_signing_request.csr"| |--dns | the list of valid domain name (comma separated) |string|default: "{hostname}" | |--ip | the list of valid IPs (comma separated) |string|default: "" | |--subject | the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )|string| default: "/CN=Certificate"| |-r, --root | the location of the Certificate folder |string|default: "{CWD}/certificates" | |--PKIFolder | the location of the Public Key Infrastructure |string|default: "{root}/PKI" |

Create a certificate authority

The result

└─ 📂certificates
    └─📂PKI
       ├─📂CA           Certificate Authority
       ├─📂rejected     The Certificate store contains certificates that have been rejected.
       │ ├─📂certs      Contains the X.509 v3 Certificates which have been rejected.
       ├─📂trusted      The Certificate store contains trusted Certificates.
       │ ├─📂certs      Contains the X.509 v3 Certificates that are trusted.
       │ └─📂crl        Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
       ├─📂issuers      The Certificate store contains the CA Certificates needed for validation.
       │ ├─📂certs      Contains the X.509 v3 Certificates that are needed for validation.
       │ ├─📂crl        Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.

sign a signing request (requires a CA)

demo command

this command creates a bunch of certificates with various characteristics for demo and testing purposes.

crypto_create_CA  demo [--dev] [--silent] [--clean]

Options:

Example:

$crypto_create_CA  demo --dev

certificate command

$crypto_create_CA certificate --help

Options:

examples

• create a self-signed certificate

npx node-opcua-pki certificate --dns=machine1.com,machine2.com --ip="192.1.2.3;192.3.4.5" -a 'urn:{hostname}:My-OPCUA-Server' --selfSigned -o  my_self_signed_certificate.pem

References

• https://www.entrust.com/wp-content/uploads/2013/05/pathvalidation_wp.pdf
• https://en.wikipedia.org/wiki/Certification_path_validation_algorithm
• https://tools.ietf.org/html/rfc5280

prerequisite:

This module requires OpenSSL or LibreSSL to be installed.

On Windows, a version of OpenSSL is automatically downloaded and installed at run time, if not present. You will need an internet connection open.

You need to install it on Linux, (or in your docker image), or on macOS

• on ubuntu/Debian:

apt install openssl

or alpine:

apk add openssl

support:

Getting professional support

NodeOPCUA PKI is developed and maintained by sterfive.com.

To get professional support, consider subscribing to the node-opcua membership community:

or contact sterfive for dedicated consulting and more advanced support.

:heart: Supporting the development effort - Sponsors & Backers

If you like node-opcua-pki and if you are relying on it in one of your projects, please consider becoming a backer and sponsoring us, this will help us to maintain a high-quality stack and constant evolution of this module.

If your company would like to participate and influence the development of future versions of node-opcua please contact sterfive.