When I call pem.getPublicKey(...), node shows the following warning in the console:

DeprecationWarning: Calling an asynchronous function without callback is deprecated.

I'm using Node v7.0.0.

pem.readCertificateInfo crashes the app

at node_modules/pem/lib/pem.js:835:23
at node_modules/pem/lib/pem.js:1002:9
at node_modules/pem/node_modules/which/which.js:82:18
at FSReqWrap.oncomplete (fs.js:95:15)

i tried to run the the code given in the example i tried basic https and i got an err can't read property serviceKey of undefined so i installed express and tried the example given for express and i got err requireAuth is not defined.
i just copy past the code so it wasn't a typo

Have you considered the option to allow self-signed certificates with a passphrase?

While the NodeJS pem API allows one to specify a 'Subject Alternative Name' for a CSR through the 'altNames' parameter, any such value ( IP or DNS ) gets stripped by openssl.

The reason is that 'openssl x509' is used instead of 'openssl ca' for signing the certificate

Can you provide more rationale behind the serial number function. Seems that there are more constraints than required for an ordinary X509 certificate, which only mandates the serial number to be an positive integer less than 20 octets. Thanks!

How do I handle serial numbers when signing CSRs with a CA in a sensible way?
When I used bare OpenSSL i used -CAcreateserial which did the work for me.

Many CSRs include an Organization name that includes a comma, such as Facebook, Inc., but currently commas are replaced with a space in this regex:

https://github.com/andris9/pem/blob/5de4a26d1786fd02892cb823c672ffda49048733/lib/pem.js#L883

Hi,

I have a problem with certification information. (function readCertificateInfo)
CN field come out with emailAddress together
like this: CERTIFICATE TEST, emailAddress=[email protected]
and also, email field is empty.
I do not have a problem with certificate which contains CN without space in it

The latest tagged version does not have this method.

Hello,

I've tried saving pkcs12 as a binary file but when I look at the created file it's only 15 bytes big and I'm unable to import this .p12 into a browser.

note: pkcs12 is an object returned in binary.

Can someone provide an example with how they wrote the .p12 as a binary file.

Here's what I've tried;

//Create .p12 keystore to be imported in browsers, returns pkcs12 in binary
pem.createPkcs12(csrOptions.clientKey, clientCertificate, "", p12Options, function(err, obj){

                         logger.debug("PKCS12 " + JSON.stringify(obj));
                         logger.debug("PKCS12 data " + obj.pkcs12.data);
                         var data = [];
                         data = obj.pkcs12.data;

                         //Convert binary p12 & save to server
                                    var buffer = new Buffer(data, 'binary');

                                    //Save                                       
                                    fs.writeFile(__dirname + '/client.p12', buffer, 'binary', function(err){
                                        if (err){
                                            callback(false);
                                        }
                                        //Callback success
                                        callback(true);
                                    });

Contrary to popular belief, this module actually seems to work fine on Windows. So 👍 for that! However, you do have to add openssl to your PATH, which is a minor inconvenience.

It'd be nice if node-pem fell back to the default Windows directories (C:/OpenSSL-Win64 or C:/OpenSSL-Win32), similar to how ursa does it.

On [email protected] when fs.unlink is invoked. I think you're supposed to use fs.unlinkSync.

I have met a problem Certificate routines:X509_check_private_key: key values mismatch,
by some searching ,I fount it maybe a problem of openssl.
but I dont find how to solute it,
any suggestions?

I am unsure of how to go about it, but I think it would be neat if pem used crypto native functions, instead of openssl command-line stuff, especially for Windows or really bare cloud machine deployments. Do you think this is possible?

Similar to createCSR where you can pass clientKeyPassword as an option to automatically use the password without prompting for it, it would be amazing to have the capability for pem.createCertificate and that we could pass the serviceKeyPassword and prevent the prompt from the terminal.

Why don't you use ursa or crypto modules for keys generation?
Thnks

Hey @andris9

This may not be an issue directly with pem module but your input/help would be greatly appreciated.
A while ago @dodo forked pem to add support for altNames. The PR was sent and merged.

Since then node-xmpp has been using dodo's fork. I just tried replacing with upstream and our test is now failing.

https://github.com/node-xmpp/node-xmpp/blob/master/test/tls-test.js

I had a quick look but I couldn't find anything wrong and my knowledge on the subject is pretty limited.

Any idea?

Hi there! I am loving your module and I use it in one of my applications, however I am running into an issue when some people attempt to generate a certificate using this on Windows (as can be seen here: https://github.com/OstlerDev/PopcornTV/issues/11 )

I am getting a response that it gives the error that certificate is undefined. My source code where I am using your module can be found here: https://github.com/OstlerDev/PopcornTV/blob/master/atv.js#L8

Is there something I am doing that would cause this to not work on Windows?

Thanks,
OstlerDev

I am using pem in version 1.9.4
The actual documentation about pem.readCertificateInfo is saying

But I'am getting the following object :

{
    "issuer":{

    },
    "country":"",
    "state":"",
    "locality":"",
    "organization":"",
    "organizationUnit":"",
    "commonName":"localhost",
    "emailAddress":"",
    "dc":""
}

I am interested on the validity index witch is missing.

import pem from 'pem'
pem.createCertificate({ days: 60, selfSigned: true }, (err, keys) => {
  if (!err) {
    pem.readCertificateInfo(keys.csr, (err, info) => {
      if (!err) {
        console.log(JSON.stringify(info))
      }
    })
  }
})

I can't see a way in the Readme to actually sign certificates using a CSR (only to generate a CSR).

Is this currently possible?

When I type a URL in the browser and press Enter, the browser will try to connect to that host:port, and wait for a moment(several seconds); If there isn't a server at the beginning of "the moment", but a server manage to respond before the end of the timeout, the browser will accept it.

Since I have CA key/cert in my PC, I wrote a piece of code that will generate a certificate (according to its IP address), and use the certificate to start an HTTPS server. As in the case above, the request from the browser arrives before I generate the server certificate(and start the HTTPS server), but I can still respond to the request if the server can work in a very short time.

The browser will have a timestamp A when the request is sent, and the server will have a timestamp B when the certificate is signed(valid from). The problem is that, sometimes A is earlier than B, so browser will get a certificate error, given the info that the certificate has not taken into affect when you visit the website.

I think it may be a bug for the browser(Chrome), but it will be good if pem module can cover this by providing option startdate.

I've ane ext file like this:

subjectAltName=IP:127.0.0.1
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign

How can I use it when creating a certificate?

Would you be interested in supporting libressl and windows? Currently generate key function fails due to different args and your tests fails on my windows box. If interested I will do a PR for changes.

Thanks for making pem!

Took me a minute to work out how to use it for simple self-signed key HTTPS, thought I might give you examples for your docs. These are both valid for 1 day, and require root perms for the low port (https standard 443).

Basic https

var https = require("https"),
    pem = require('pem');

pem.createCertificate({days:1, selfSigned:true}, function(err, keys){
    https.createServer({key: keys.serviceKey, cert: keys.certificate}, function(req, res){
        res.end("o hai!")
    }).listen(443);
});

Express

var https = require("https"),
    pem = require('pem'),
    express = require('express');

pem.createCertificate({days:1, selfSigned:true}, function(err, keys){
    var app = express();

    app.get('/',  requireAuth, function(req, res){
        res.send("o hai!");
    });

    https.createServer({key: keys.serviceKey, cert: keys.certificate}, app).listen(443);
});

The Shining Light Productions Win32 openssl binaries use a slightly different formatting for separating fields in the Subject

Windows

~\Documents\foocorp\node_modules\pem $ openssl req -text -noout -verify -in ..\..\deleteme.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = GB, L = London, O = foocorp Limited, CN = ssltest.foocorp.com

Unix

[mike@a foocorp]$ openssl req -text -noout -verify -in deleteme.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, L=London, O=foocorp Limited, CN=ssltest.foocorp.com

Meaning npm test fails on Windows. I'm not sure why but it's an easy fix. Sending a PR.

Currently it is not possible to read the serial from a certificate. The serial is returned by openssl but parsed by fetchCertificateData.

Hi,

Is this module supported on the Windows platform?

If an error occurred at the open ssl spawn function it is uncaught,
Happens when I run it without admin permissions on windows.

I think we should add this:

  openssl.on('error', function (err) {
    callback(err);
  });

at the spawnOpenSSL function, but I didn't PR because I'm not sure if you wanna wrap the exception or not.

Edit: Not sure if this is OK:

var params = ['genrsa',
    '-rand',
    '/var/log/mail:/var/log/messages',
    keyBitsize
];

Do these files need to have a good source of entropy?

The docs refer to this as a seed for the random number generator. I'm not what openssl does with these files internally, so it's probably safer to not include that option.

Hi there! May I ask for a sample regarding how to create a certificate if you have a root CA and key that was generated?

I'm on windows 8, and the default hash method for my OpenSSL certificate generating is sha1, which is not secure any more. So I'll get a certificate warning when I use Chrome to visit the node-pem-signed HTTPS site

https://code.google.com/p/chromium/issues/detail?id=401365

I suggest to use sha256 to create certificate, which means calling openssl x509 -req -sha256 ... in pem.createCertificate()

Hi

Are they any plans to support these openssl commands in the future?

Thanks
Simon

sha1 is going away soon and discouraged: http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

This is related to #27.

Needed:

• Generate cert with sha256 (done in PR #29)
• Return fingerprint (see this comment)

If passed an empty array of altNames, pem tries to generate the openssl config, but since there are no names, an open ssl error is produced:

Error Loading extension section v3_req
X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=@alt_names
X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=@alt_names

https://github.com/andris9/pem/blob/e7f9fbae5a4bea25a9c2bc858ec53fd070bf37d4/lib/pem.js#L189

It would be great if someone could update the readme file to include a usage example of creating a certificate with v3_req extensions.
Thanks!

@andris9 can you transfer the repo to me?

So i don't need to watch both repos and get notice.

Thank you. Regards, Josef

I can't seem to see what options I can provide when creating a CSR. I would like to be able to add some additional extensions to the CSR.

BTW - Your code seems to work fine on Windows!

Regards,

createPrivateKey() only takes one option (keyBitsize), while genrsa offers many additional options; most commonly used are:

• encryption cipher (e.g. des3, aes256)
• encryption password

I would fork and patch, but it looks like the current implementation is very permissive about the type of keyBitsize, so I worry that any change I would make might break some existing clients. I could prepare a patch that expects an options object instead of keyBitsize, but I think we'd need to rev the major version. Is that something you're okay with?

Hi!
I think we should be using node-which in order to detect if the user has openssl and it is accessible.

I thought about something like this:

var which = require('which');
which('openssl', function(error, path){
if(error){
  // Handle no open ssl
}

// All good
});

Any plans to enable stream for some of the gulp lovers out here?
It would be nice to stream the certificates to the file system or as vinyl files.

You get a cryptic error message from spawn if your system doesn't have openssl. It would be nice if an error message was given back that said something to the effect of "pem requires openssl to be installed".

Hi

I am using pem.createCertificate, and I would like to backup the certificate for a future use.

1/ I tried to JSON.parse the return to store it in a file, but the certificate seams to be unusable after. I am getting openssl errors

2/ Next I tried to use pem.createPkcs12 and expected to store the binary object to a file for a future use with pem.readPkcs12. It fails has I still don't know how to store the Javascript object.
Using JSON.parse gives me the following errors

Error: Invalid openssl exit code: 1
% openssl pkcs12 -in ./ssl/pem -passin pass: -nodes
139889475110560:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338:
139889475110560:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=PKCS12

Do I have a correct understanding of the tools ?
What I want to achieve is it even possible with pem ?
Thanks

Hi.

Downstream: beameio/beame-sdk#20

fs.unlinkSync(file.path)

Should use callback now (in node 7)

Hello,

the attribute "DC" is not supported by the function "fetchCertificateData".
The attached ZIP contains a certificate of BMW with the following subject:
/DC=corp/DC=bmw/DC=europe/CN=BMW Group Issuing CA 3

seon_TSL_certificate_3pPahZ.cer.zip

Basic usage seems to crash. I have a slightly more complex setup, but using the example code also gives me the same error (below). I am running Win7 64bit if that helps.

Example Code (from your page that gives same error)

var https = require('https'),
    pem = require('pem'),
    express = require('express');

pem.createCertificate({days:1, selfSigned:true}, function(err, keys){
  var app = express();

  app.get('/',  requireAuth, function(req, res){
    res.send("o hai!");
  });

  https.createServer({key: keys.serviceKey, cert: keys.certificate}, app).listen(443);
});

My package.json:

{
    "name" : "Test",
    "description": "Test",
    "version" : "0.0.1",
    "author" : "Me <[email protected]>",
    "private" : true,
    "contributors" :
    [{
        "name" : "Me",
        "email" : "[email protected]"
    }],
    "dependencies" :
    {
        "express": "4.11.0",
        "node-inspector" : "0.8.3",
        "pem": "1.4.5"
    }
}

My Code:

var express = require('express')
var https = require('https');
var pem = require('pem');

var app = express();

app.get(
    '/:id'
    ,function(inRequest, inResponse)
    {
        console.log(inRequest);
        inResponse.send('Hello World!');
    }
);

function ServerStarted()
{
    var aHost = server.address().address;
    var aPort = server.address().port;

    console.log('Listening at http://%s:%s\n', aHost, aPort);
}

console.log('test 1');

//Docs for creating better security feature set: https://github.com/andris9/pem
pem.createCertificate(
    {days:365, selfSigned:true}
    ,function(inError, inKeys)
    {
        console.log('test 2');
        if(inError)
        {
            console.error(inError);
            //system quit?
            return;
        }
        https.createServer(
            {key: inKeys.serviceKey, cert: inKeys.certificate}
            ,app
        ).listen(443, ServerStarted);
    }
);

The Error:

v0.10.26
test 1

events.js:72
        throw er; // Unhandled 'error' event
              ^
Error: spawn ENOENT
    at errnoException (child_process.js:988:11)
    at Process.ChildProcess._handle.onexit (child_process.js:779:34)

Hi Andris (@andris9),

what do you think about to change the default settings for:

keyBitsize - should maybe now set to 2048 as default for CSR because the most CAs require a min. keysize of 2048.
hash - should maybe now set to sha256 as default for CSR because the most CAs beginn to change to sha256 hash.

Background:

Microsoft has, however, decided to replace the hashing mechanism SHA-1 in favor of a more modern and safer. One has the SHA-256 mechanism selected as one of the four mechanisms of SHA-2 will come to this use.

The first date on the roadmap is the 16th January 2016 provided. On that date Microsoft terminated the trust in code-signing certificates issued by this mechanism. More dates are the 1st January 2017 the trust is to be withdrawn with the all SSL certificates with SHA-1 mechanism.

Therefore, GlobalSign has decided to implement the beginning of March 2014 standard in issuing new certificates SHA 256.

I think it would be a nice feature to have in this module. The function should return the output of openssl dhparam -outform PEM [numbits], with numbits configurable (default 512).

Docs: https://www.openssl.org/docs/apps/dhparam.html

I have an EV Certificate but can't read the Information out of the Cert.

root@server100:~# openssl x509 -noout -text -in cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f0:cc:11:de:c2:55:d0:b2:d4:f8:68:8a:4a:bf:e8:a6
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Extended Validation Secure Server CA
        Validity
            Not Before: Mar 18 00:00:00 2014 GMT
            Not After : Mar 18 23:59:59 2015 GMT
        Subject: serialNumber=HRB 203384/1.3.6.1.4.1.311.60.2.1.3=DE/businessCategory=Private Organization, C=DE/postalCode=49451, ST=Niedersachsen, L=Holdorf/street=Bergstra\xC3\x9Fe 61, O=DeineAgentur UG (haftungsbeschr\xC3\xA4nkt), OU=IT, OU=COMODO EV SSL, CN=www.deineagentur.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:db:02:87:7e:39:c4:1b:b0:0e:c5:66:b5:f7:ed:
                    4b:5a:4f:51:c9:b0:10:86:cf:0a:03:57:2b:6c:12:
                    55:9d:5e:25:9e:24:d8:e9:d3:c9:11:c4:53:f0:14:
                    84:d4:b0:39:52:6e:52:5a:5e:a5:4a:14:1c:eb:ff:
                    2e:96:db:f5:a0:7d:ba:c8:77:03:89:77:58:33:d1:
                    c2:e2:e5:f7:40:16:40:a9:b0:07:91:97:c5:c7:aa:
                    0f:c0:05:d2:fd:a2:e5:a4:e3:78:8e:c6:69:99:10:
                    16:92:61:aa:f4:76:08:16:46:16:cc:43:a9:ae:13:
                    f7:07:15:77:58:10:06:38:e0:28:d2:cd:01:e5:68:
                    ab:df:6c:e4:3b:33:35:84:79:7c:45:90:6c:d2:60:
                    b9:e1:41:22:4a:e3:4d:7b:0b:62:cc:60:d3:8c:12:
                    c8:3c:1b:89:59:91:b8:45:55:7a:1a:90:fb:a2:bb:
                    2e:4a:42:c1:9d:f9:b5:71:cf:3c:12:93:e6:a3:d8:
                    6f:81:73:8f:7a:0e:44:f2:a9:68:ac:6b:67:07:62:
                    3c:70:a3:84:0e:97:92:ab:92:a7:03:3c:ba:2f:3e:
                    41:d6:f7:5e:59:18:72:5f:ae:24:e2:6f:20:f7:84:
                    a7:17:18:a7:80:07:62:82:bd:3b:ce:2a:c4:a0:82:
                    9a:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:88:44:51:FF:50:2A:69:5E:2D:88:F4:21:BA:D9:0C:F2:CE:CB:EA:7C

            X509v3 Subject Key Identifier:
                39:DD:2F:AD:8F:6B:F7:A2:41:CA:AB:28:01:08:26:DF:1B:D4:C9:62
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.1.5.1
                  CPS: https://secure.comodo.com/CPS

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.comodoca.com/COMODOExtendedValidationSecureServerCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca.com/COMODOExtendedValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:www.deineagentur.com, DNS:deineagentur.com
    Signature Algorithm: sha1WithRSAEncryption
         a1:63:86:ae:ec:f6:e6:23:0d:f8:2a:7f:ba:06:28:d8:c9:a1:
         b2:71:08:96:37:95:eb:79:44:52:0b:31:24:60:d0:c0:28:2c:
         46:8e:7e:f8:46:42:4d:16:fa:af:75:35:3e:7b:19:c1:64:fa:
         47:53:3f:22:ac:7a:00:4b:81:8a:91:17:b4:7d:58:ef:89:55:
         e3:e8:6a:9d:be:43:e2:19:ac:e5:b5:4a:c5:d8:00:b3:aa:ec:
         9f:81:d4:36:a3:8e:cf:6a:75:0a:0a:f6:a5:32:5c:7b:22:ba:
         5f:b9:2d:bf:d4:aa:6c:49:46:29:9e:1e:8b:88:e7:62:40:14:
         39:bb:ca:fd:d7:17:6a:ce:67:22:b4:87:03:7e:2f:ea:88:2f:
         ca:c5:21:99:5b:6e:11:54:c9:48:4b:ca:41:8e:f8:c1:4e:fe:
         67:ae:04:5c:71:76:aa:7a:98:47:5a:ee:5d:37:a6:45:81:f2:
         ee:b7:b2:42:a6:25:1a:43:cb:c7:cc:6f:a2:2e:c8:72:30:70:
         9a:ff:85:92:11:bf:90:f3:4b:4a:a3:34:00:9f:9b:a9:8e:38:
         82:ff:79:7b:20:45:83:3f:6c:eb:80:12:f2:39:3a:ee:dc:08:
         a2:ca:6c:91:05:d0:70:5a:ea:79:30:6e:e6:cd:7c:c4:b6:7f:
         1a:33:a8:f0