Skip to content

node-opcua/node-opcua-pki

Repository files navigation

node-opcua-pki

NPM download NPM version Build Status Coverage Status install size FOSSA Status

Installation

install globally
$ npm install -g node-opcua-pki
$ crypto_create_CA --help
use with npx
npx node-opcua-pki --help
npx node-opcua-pki certificate --help

Note: see https://reference.opcfoundation.org/GDS/docs/F.1/

commands

command Help
demo create default certificate for node-opcua demos
createCA create a Certificate Authority
createPKI create a Public Key Infrastructure
certificate create a new certificate
csr create a new certificate signing request(CSR)
sign sign a CSR and generate a certificate
revoke revoke an existing certificate
dump display a certificate
toder convert a certificate to a DER format
fingerprint print the certificate fingerprint

Options: --help display help

create a PKI

node-opcua-pki createPKI

Options:

option description type default
-r, --root the location of the Certificate folder [string] [default: "{CWD}/certificates"]
--PKIFolder the location of the Public Key Infrastructure [string] [default: "{root}/PKI"]
-k, --keySize, --keyLength the private key size in bits (1024,2048,3072,4096) [number] [default: 2048]
-s, --silent minimize output [boolean] [default: false]

The result

└─ 📂certificates
    └─📂PKI
       ├─📂issuers
       │ ├─📂certs                 contains known Certificate Authorities' certificates
       │ └─📂crl                   contains Certificate Revocation List associates with the CA Certificates
       ├─📂own
       │ ├─📂certs                 where to store generated public certificates generated for the private key.
       │ └─📂private
       │    └─🔐private_key.pem  the private key in PEM format
       ├─📂rejected                  contains certificates that have been rejected.
       └─📂trusted
         ├─📂certs                 contains the X.509 v3 Certificates that are trusted.
         └─📂crl                   contains the X.509 v3 CRLs for any Certificates in the ./certs directory.

create a Certificate Signing Request (CSR)

Options:

option description type default
-a, --applicationUri the application URI [string] [default: "urn:{hostname}:Node-OPCUA-Server"]
-o, --output the name of the generated signing_request [string] [default: "my_certificate_signing_request.csr"]
--dns the list of valid domain name (comma separated) [string] [default: "{hostname}"]
--ip the list of valid IPs (comma separated) [string] [default: ""]
--subject the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello ) [string] [default: "/CN=Certificate"]
-r, --root the location of the Certificate folder [string] [default: "{CWD}/certificates"]
--PKIFolder the location of the Public Key Infrastructure [string] [default: "{root}/PKI"]

Create a certificate authority

default value
--subject the CA certificate subject "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA"
--root, -r the location of the Certificate folder "{CWD}/certificates"
--CAFolder, -c the location of the Certificate Authority folder "{root}/CA"]
--keySize, -k, --keyLength the private key size in bits (1024, 2048 ,3072, 4096)

The result

└─ 📂certificates
    └─📂PKI
       ├─📂CA           Certificate Authority
       ├─📂rejected     The Certificate store contains certificates that have been rejected.
       │ ├─📂certs      Contains the X.509 v3 Certificates which have been rejected.
       ├─📂trusted      The Certificate store contains trusted Certificates.
       │ ├─📂certs      Contains the X.509 v3 Certificates that are trusted.
       │ └─📂crl        Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
       ├─📂issuers      The Certificate store contains the CA Certificates needed for validation.
       │ ├─📂certs      Contains the X.509 v3 Certificates that are needed for validation.
       │ ├─📂crl        Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.

sign a signing request (requires a CA)

option description type default
-i, --csr the csr [string] [required] [default: "my_certificate_signing_request.csr"]
-o, --output the name of the generated certificate [string] [required] [default: "my_certificate.pem"]
-v, --validity the certificate validity in days [number] [default: 365]
-r, --root the location of the Certificate folder [string] [default: "{CWD}/certificates"]
-c, --CAFolder the location of the Certificate Authority folder [string] [default: "{root}/CA"]

demo command

this command creates a bunch of certificates with various characteristics for demo and testing purposes.

crypto_create_CA  demo [--dev] [--silent] [--clean]

Options:

--help       display help                                                
--dev       create all sort of fancy certificates for dev testing purposes
--clean     Purge existing directory [use with care!]                    
--silent, -s minimize output                                              
--root, -r the location of the Certificate folder {CWD}/certificates

Example:

$crypto_create_CA  demo --dev
certificate command
$crypto_create_CA certificate --help

Options:

--help display help
--applicationUri, -a the application URI urn:{hostname}:Node-OPCUA-Server
--output, -o the name of the generated certificate my_certificate.pem
--selfSigned, -s if true, the certificate will be self-signed false
--validity, -v the certificate validity in days
--silent, -s minimize output
--root, -r the location of the Certificate folder {CWD}/certificates
--CAFolder, -c the location of the Certificate Authority folder {root}/CA
--PKIFolder, -p the location of the Public Key Infrastructure {root}/PKI
--privateKey, -p optional:the private key to use to generate certificate
--subject the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )
examples
  • create a self-signed certificate
npx node-opcua-pki certificate --dns=machine1.com,machine2.com --ip="192.1.2.3;192.3.4.5" -a 'urn:{hostname}:My-OPCUA-Server' --selfSigned -o  my_self_signed_certificate.pem

References

prerequisite:

This module requires OpenSSL or LibreSSL to be installed.

On Windows, a version of OpenSSL is automatically downloaded and installed at run time, if not present. You will need an internet connection open.

You need to install it on Linux, (or in your docker image), or on macOS

  • on ubuntu/Debian:
apt install openssl

or alpine:

apk add openssl

Support

Sterfive provides this module free of charge, “as is,” with the hope that it will be useful to you. However, any support requests, bug fixes, or enhancements are handled exclusively through our paid services. We believe strongly that independent open-source companies should be fairly compensated for their contributions to the community.

We highly recommend subscribing to our support program to ensure your requests are addressed and resolved. Please note that we only consider requests from members of our support program or sponsors.

Getting professional support

NodeOPCUA PKI is developed and maintained by sterfive.com.

To get professional support, consider subscribing to the node-opcua membership community:

Professional Support

or contact sterfive for dedicated consulting and more advanced support.

❤️ Supporting the development effort - Sponsors & Backers

If you like node-opcua-pki and if you are relying on it in one of your projects, please consider becoming a backer and sponsoring us, this will help us to maintain a high-quality stack and constant evolution of this module.

If your company would like to participate and influence the development of future versions of node-opcua please contact sterfive.