Node.js utility for SSL certificates using OpenSSL (generating, verifying, etc.)
JavaScript
Latest commit 0a98142 Nov 30, 2015 @es128 Release 0.3.0

README.md

ssl-utils

A handful of wrappers around OpenSSL commands for Node.js

Usage

Install with npm: npm install ssl-utils --save

var ssl = require('ssl-utils');

//// generate a new SSL certificate and key ////
var csr = {
  subject: {
    C:  'US',
    ST: 'FL',
    L:  'Hollywood',
    O:  'es128',
    OU: 'me',
    CN: 'www.domain.name'
  }
  // subjectaltname could also be added
};

ssl.generateCertBuffer(
  'myCert', /*temp filename prefix*/
  false, /*whether to keep temp files*/
  csr, /*cert info, see above*/
  caKeyPath,  /*path to CA signer's key*/
  caCertPath, /*path to CA signer's cert*/
  function (err, key, cert, fingerprint, hash) { /*callback*/}
);


//// check the validity of a cert/key pair ////
var cert = certContents; //String or Buffer

ssl.checkCertificateExpiration(cert, function (expiry) {
    //expiry is a Date instance
    var remainingTime = expiry.getTime() - Date.now();
});

API

generateCertBuffer(prefix, keepTmp, certInfo, caKeyPath, caCertPath, callback)

Generates a new ssl certificate and private key, signed by the provided certificate authority.

  • prefix: String prefix to use when naming temp files
  • keepTmp: Boolean whether temp files should be automatically deleted
  • certInfo: Object identity info to embed in the certificate
    • subject: required child object with C (Country), ST (State), L (Locality), O (Organization), OU (Organizational Unit), CN (Common Name)
    • subjectaltname: optional string, comma-separated list of alt names for the certificate such as DNS:foo.domain.name, DNS:bar.domain.name, DNS:localhost, IP:127.0.0.1
  • caKeyPath: String path to the certificate authority's private key pem file
  • caCertPath: String path to the certificate authority's certificate pem file
  • callback: Function in the form of callback(err, keyBuffer, certBuffer)

generateCert

Same as generateCertBuffer except it returns file paths to the temp files for the key and cert instead of buffers.

setExpiryDays(days)

Sets how many days from now a generated certificate should expire. If not set, openssl's default or local settings will be used.

Additional certificate generation methods

createKeypair, createCertRequestConfig, createExtensionsFile, createCertRequest, and createCert are used by the above methods in the generation process, but are also exported and can be used directly. Check the generate.js source code for the method signatures.

checkCertificateExpiration(cert, callback)

Parses a provided certificate's expiration date.

  • cert: String|Buffer contents of the certificate pem file
  • callback: Function in the form of callback(err, certExpiry) where certExpiry is a Date instance.

verifyCertificateKey(cert, key, [options], callback)

Checks the validity of a provided certificate and private key, as well as whether they match.

  • cert: String|Buffer contents of the certificate
  • key: String|Buffer contents of the private key
  • options: Object
    • to verify the certificate against a specific certificate authority, pass the path the CA file in options.CAfile
    • to use Key password, pass the password in options.pass
  • callback: Function in the form of callback(err, result) where result is an object containing certStatus, keyStatus, and match
    • result.certStatus: Object containing Boolean properties valid, verifiedCA, and selfSigned as well as output containing the raw output from OpenSSL
    • result.keyStatus: Object containing valid and output
    • result.match: Boolean whether the cert's and key's modulus values match
Additional certificate verification methods

verifyCertificate, verifyKey, compareModuli are used by verifyCertificateKey, but are also exported and can be used directly. Check the verify.js source code for the method signatures.

Acknowledgements

The certificate generation code was derived from certgen.

License

MIT