node-opcua-pki
Installation
install globally
$ npm install -g node-opcua-pki
$ crypto_create_CA --help
use with npx
npx node-opcua-pki --help
npx node-opcua-pki certificate --help
Note: see https://reference.opcfoundation.org/GDS/docs/F.1/
commands
| command | Help |
|---|---|
| demo | create default certificate for node-opcua demos |
| createCA | create a Certificate Authority |
| createPKI | create a Public Key Infrastructure |
| certificate | create a new certificate |
| csr | create a new certificate signing request(CSR) |
| sign | sign a CSR and generate a certificate |
| revoke | revoke an existing certificate |
| dump | display a certificate |
| toder | convert a certificate to a DER format |
| fingerprint | print the certificate fingerprint |
Options: --help display help
create a PKI
node-opcua-pki createPKI
Options:
| option | description | type | default |
|---|---|---|---|
| -r, --root | the location of the Certificate folder | [string] | [default: "{CWD}/certificates"] |
| --PKIFolder | the location of the Public Key Infrastructure | [string] | [default: "{root}/PKI"] |
| -k, --keySize, --keyLength | the private key size in bits (1024,2048,3072,4096) | [number] | [default: 2048] |
| -s, --silent | minimize output | [boolean] | [default: false] |
The result
└─ 📂certificates
└─📂PKI
├─📂issuers
│ ├─📂certs contains known Certificate Authorities' certificates
│ └─📂crl contains Certificate Revocation List associates with the CA Certificates
├─📂own
│ ├─📂certs where to store generated public certificates generated for the private key.
│ └─📂private
│ └─🔐private_key.pem the private key in PEM format
├─📂rejected contains certificates that have been rejected.
└─📂trusted
├─📂certs contains the X.509 v3 Certificates that are trusted.
└─📂crl contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
create a Certificate Signing Request (CSR)
Options:
| option | description | type | default |
|---|---|---|---|
| -a, --applicationUri | the application URI | [string] | [default: "urn:{hostname}:Node-OPCUA-Server"] |
| -o, --output | the name of the generated signing_request | [string] | [default: "my_certificate_signing_request.csr"] |
| --dns | the list of valid domain name (comma separated) | [string] | [default: "{hostname}"] |
| --ip | the list of valid IPs (comma separated) | [string] | [default: ""] |
| --subject | the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello ) | [string] | [default: "/CN=Certificate"] |
| -r, --root | the location of the Certificate folder | [string] | [default: "{CWD}/certificates"] |
| --PKIFolder | the location of the Public Key Infrastructure | [string] | [default: "{root}/PKI"] |
Create a certificate authority
| default value | ||
|---|---|---|
--subject |
the CA certificate subject | "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA" |
--root, -r
|
the location of the Certificate folder | "{CWD}/certificates" |
--CAFolder, -c
|
the location of the Certificate Authority folder | "{root}/CA"] |
--keySize, -k, --keyLength
|
the private key size in bits (1024, 2048 ,3072, 4096) |
The result
└─ 📂certificates
└─📂PKI
├─📂CA Certificate Authority
├─📂rejected The Certificate store contains certificates that have been rejected.
│ ├─📂certs Contains the X.509 v3 Certificates which have been rejected.
├─📂trusted The Certificate store contains trusted Certificates.
│ ├─📂certs Contains the X.509 v3 Certificates that are trusted.
│ └─📂crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
├─📂issuers The Certificate store contains the CA Certificates needed for validation.
│ ├─📂certs Contains the X.509 v3 Certificates that are needed for validation.
│ ├─📂crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
sign a signing request (requires a CA)
| option | description | type | default |
|---|---|---|---|
| -i, --csr | the csr | [string] [required] | [default: "my_certificate_signing_request.csr"] |
| -o, --output | the name of the generated certificate | [string] [required] | [default: "my_certificate.pem"] |
| -v, --validity | the certificate validity in days | [number] | [default: 365] |
| -r, --root | the location of the Certificate folder | [string] | [default: "{CWD}/certificates"] |
| -c, --CAFolder | the location of the Certificate Authority folder | [string] | [default: "{root}/CA"] |
demo command
this command creates a bunch of certificates with various characteristics for demo and testing purposes.
crypto_create_CA demo [--dev] [--silent] [--clean]
Options:
| --help | display help | |
| --dev | create all sort of fancy certificates for dev testing purposes | |
| --clean | Purge existing directory [use with care!] | |
| --silent, -s | minimize output | |
| --root, -r | the location of the Certificate folder | {CWD}/certificates |
Example:
$crypto_create_CA demo --dev
certificate command
$crypto_create_CA certificate --help
Options:
| --help | display help | |
| --applicationUri, -a | the application URI | urn:{hostname}:Node-OPCUA-Server |
| --output, -o | the name of the generated certificate | my_certificate.pem |
| --selfSigned, -s | if true, the certificate will be self-signed | false |
| --validity, -v | the certificate validity in days | |
| --silent, -s | minimize output | |
| --root, -r | the location of the Certificate folder | {CWD}/certificates |
| --CAFolder, -c | the location of the Certificate Authority folder | {root}/CA |
| --PKIFolder, -p | the location of the Public Key Infrastructure | {root}/PKI |
| --privateKey, -p | optional:the private key to use to generate certificate | |
| --subject | the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello ) |
examples
- create a self-signed certificate
npx node-opcua-pki certificate --dns=machine1.com,machine2.com --ip="192.1.2.3;192.3.4.5" -a 'urn:{hostname}:My-OPCUA-Server' --selfSigned -o my_self_signed_certificate.pem
References
- https://www.entrust.com/wp-content/uploads/2013/05/pathvalidation_wp.pdf
- https://en.wikipedia.org/wiki/Certification_path_validation_algorithm
- https://tools.ietf.org/html/rfc5280
prerequisite:
This module requires OpenSSL or LibreSSL to be installed.
On Windows, a version of OpenSSL is automatically downloaded and installed at run time, if not present. You will need an internet connection open.
You need to install it on Linux, (or in your docker image), or on macOS
- on ubuntu/Debian:
apt install openssl
or alpine:
apk add openssl
support:
Getting professional support
NodeOPCUA PKI is developed and maintained by sterfive.com.
To get professional support, consider subscribing to the node-opcua membership community:
or contact sterfive for dedicated consulting and more advanced support.
❤️ Supporting the development effort - Sponsors & Backers
If you like node-opcua-pki and if you are relying on it in one of your projects, please consider becoming a backer and sponsoring us, this will help us to maintain a high-quality stack and constant evolution of this module.
If your company would like to participate and influence the development of future versions of node-opcua please contact sterfive.