Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
April 4, 2023 06:34
June 2, 2023 11:32
April 4, 2023 08:21
January 20, 2022 14:56
January 20, 2022 19:52
June 2, 2023 11:32
October 7, 2017 13:56
June 2, 2023 11:32
April 4, 2023 08:21


Create private keys and certificates with node.js

Build Status npm version npm downloads pem documentation

JavaScript Style Guide


Install with npm

npm install pem

or use yarn

yarn add pem

⚠️ Please make sure you have openssl or libressl already installed on your system/container, without them pem will not work.


Here are some examples for creating an SSL key/cert on the fly, and running an HTTPS server on port 443. 443 is the standard HTTPS port, but requires root permissions on most systems. To get around this, you could use a higher port number, like 4300, and use https://localhost:4300 to access your server.

Basic https

var https = require('https')
var pem = require('pem')

pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
  if (err) {
    throw err
  https.createServer({ key: keys.clientKey, cert: keys.certificate }, function (req, res) {
    res.end('o hai!')


var https = require('https')
var pem = require('pem')
var express = require('express')

pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
  if (err) {
    throw err
  var app = express()

  app.get('/', function (req, res) {
    res.send('o hai!')

  https.createServer({ key: keys.clientKey, cert: keys.certificate }, app).listen(443)


Please have a look into the API documentation.

we had to clean up a bit

Custom extensions config file

You can specify custom OpenSSL extensions using the config or extFile options for createCertificate (or using csrConfigFile with createCSR).

extFile and csrConfigFile should be paths to the extension files. While config will generate a temporary file from the supplied file contents.

If you specify config then the v3_req section of your config file will be used.

The following would be an example of a Certificate Authority extensions file:

req_extensions = v3_req
distinguished_name = req_distinguished_name

commonName = Common Name
commonName_max = 64

basicConstraints = critical,CA:TRUE

While the following would specify subjectAltNames in the resulting certificate:

req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 =
DNS.2 =
DNS.3 =

Note that createCertificate and createCSR supports the altNames option which would be easier to use in most cases.

⚠️ Warning: If you specify altNames the custom extensions file will not be passed to OpenSSL.

Setting openssl location

In some systems the openssl executable might not be available by the default name or it is not included in $PATH. In this case you can define the location of the executable yourself as a one time action after you have loaded the pem module:

var pem = require('pem')
  pathOpenSSL: '/usr/local/bin/openssl'
// do something with the pem module

⚠️ CSR/Certificates with special chars

For more details, search in test/pem.spec.js: Create CSR with specialchars config file

If you use special chars like:


You should know that the result mey have escaped characters when you read it in your application. Will try to fix this in the future, but not sure.

Special thanks to

  • Andris Reinman (@andris9) - Initiator of pem