0.7.2 • Public • Published


Built by The Root Company for Greenlock, ACME.js, and Keypairs.js

Lightweight, Zero-Dependency, x509 encoder and decoder for Node.js and Browsers

| 1.6k gzipped | 6.8k minified | 9.7k pretty |

This provides a set ASN.1 / x509 schemas for DER encoding and decoding Public / Private Keypairs and CSRs.

  • [x] Zero External Dependencies
  • [x] x509 schemas for common crypto
    • [x] RSA & ECDSA Public/Private Keypairs
      • PKCS1
      • PKCS8
      • SEC1
      • SPKI
      • PKIX
    • [x] Certificate Signing Requests (CSR)
      • PKCS10
  • [x] Universal Support
    • [x] Node.js
    • [x] Browsers
  • [x] Vanilla JS

Looking for easy?

You probably just want to use one of these:

Looking for a deep dive? Well, in addition to x509.js, you'll probably also want one of more of these:

Want to contribute? Need commercial support?


This package contains both node-specific and browser-specific code, and the package.json#browser field ensures that your package manager will automatically choose the correct code for your environment.

Node (and Webpack)

npm install --save @root/x509
var X509 = require('@root/x509');
// just the encoders
var X509 = require('@root/x509/packers');
// just the decoders
var X509 = require('@root/x509/parsers');

Browsers (Vanilla JS)

<script src="https://unpkg.com/@root/x509/dist/x509.all.js"></script>
<script src="https://unpkg.com/@root/x509/dist/x509.all.min.js"></script>
var X509 = window.X509;


This is a very tiny, very efficient x509 package.

Rather than implementing full schemas as defined by the RFCs, it only implements the parts that are actually used in the wild by programs like openssl, Let's Encrypt, ssh-keygen, etc.

Additionally, rather than always using a full parser, it uses happy-path heuristics to quickly and efficiently extract the necessary information. It likewise packs very quickly.


The packers encoder JWK as DER.

X509.packPkix(jwk); // alias of X509.packSpki

There are two special functions specifically for embeding keys in CSRs.


The rest of the CSR code is in csr.js.


The keypair format parsers each return a JWK, for convenience. To conserve memory, they expect taht you give an empty object as the jwk parameter.

If you are using crv: 'P-384', you should pass that in as part of the otherwise empty JWK.

X509.parsePkcs1(buf, jwk);
X509.parseSec1(buf, jwk);
X509.parsePkcs8(buf, jwk);
X509.parseSpki(buf, jwk);
X509.parsePkix(buf, jwk); // aliase of parseSpki


Did this project save you some time? Maybe make your day? Even save the day?

Please say "thanks" via Paypal or Patreon:

Where does your contribution go?

Root is a collection of experts who trust each other and enjoy working together on deep-tech, Indie Web projects.

Our goal is to operate as a sustainable community.

Your contributions - both in code and especially monetarily - help to not just this project, but also our broader work of projects that fuel the Indie Web.

Also, we chat on Keybase in #rootprojects

Commercial Support

Do you need...

  • more features?
  • bugfixes, on your timeline?
  • custom code, built by experts?
  • commercial support and licensing?

Contact aj@therootcompany.com for support options.


Copyright AJ ONeal, Root 2018-2019

MPL-2.0 | Terms of Use | Privacy Policy

Package Sidebar


npm i @root/x509

Weekly Downloads






Unpacked Size

93.4 kB

Total Files


Last publish


  • coolaj86