Class Certificate

Represents an X.509 certificate.

An X.509 certificate is a digital certificate that binds a public key to an identity. It contains information about the certificate holder (subject), the issuer, validity period, extensions, and a digital signature from the issuer. This class provides comprehensive support for parsing, validating, and working with X.509 certificates.

Asn

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signatureValue       BIT STRING
}

Example

// Load certificate from PEM
const pem = '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
const cert = Certificate.fromPem(pem)

// Access certificate information
console.log('Subject:', cert.tbsCertificate.subject.commonName)
console.log('Issuer:', cert.tbsCertificate.issuer.commonName)
console.log('Valid from:', cert.tbsCertificate.validity.notBefore)
console.log('Valid to:', cert.tbsCertificate.validity.notAfter)

// Create self-signed certificate
const selfSigned = await Certificate.createSelfSigned({
    subject: 'CN=Test Certificate, O=My Organization, C=US',
    validity: {
        notBefore: new Date('2023-01-01'),
        notAfter: new Date('2024-01-01'),
    },
    privateKeyInfo: privateKey,
    subjectPublicKeyInfo: publicKey
})

// Validate certificate
const validationResult = await cert.validate({
    trustedCertificates: [caCert],
    checkRevocation: true
})

Hierarchy (View Summary)

PkiBase<Certificate>
- Certificate

Constructors

constructor

new Certificate(
    options: {
        signatureAlgorithm: AlgorithmIdentifier;
        signatureValue: Uint8Array<ArrayBufferLike> | BitString;
        tbsCertificate: TBSCertificate;
    },
): Certificate
Creates a new Certificate instance.
Parameters
- options: {
      signatureAlgorithm: AlgorithmIdentifier;
      signatureValue: Uint8Array<ArrayBufferLike> | BitString;
      tbsCertificate: TBSCertificate;
  }
  Configuration object
  - signatureAlgorithm: AlgorithmIdentifier
    The signature algorithm
  - signatureValue: Uint8Array<ArrayBufferLike> | BitString
    The signature bits
  - tbsCertificate: TBSCertificate
    The TBSCertificate structure
Returns Certificate
Overrides PkiBase.constructor
- Defined in packages/pki-lite/src/x509/Certificate.ts:116

Properties

signatureAlgorithm

signatureAlgorithm: SignatureAlgorithmIdentifier

Algorithm used to sign this certificate.

signatureValue

signatureValue: BitString

The digital signature value from the issuer.

tbsCertificate

tbsCertificate: TBSCertificate

The "to be signed" certificate containing most certificate data.

`Static`TBSCertificate

TBSCertificate: typeof TBSCertificate = TBSCertificate

Reference to TBSCertificate class for easy access.

Accessors

pemHeader

get pemHeader(): string
Gets the PEM header name for this object type. Converts the class name to uppercase for use in PEM encoding.

Returns string
Inherited from PkiBase.pemHeader
- Defined in packages/pki-lite/src/core/PkiBase.ts:60

pkiType

get pkiType(): string
Gets the PKI type name for this object (typically the class name). Used for PEM headers and debugging output.

Returns string
Inherited from PkiBase.pkiType
- Defined in packages/pki-lite/src/core/PkiBase.ts:52

Methods

equals

equals(other: PkiBase<any>): boolean
Compares this PKI object with another for equality. Two objects are considered equal if their DER encodings are identical.
Parameters
- other: PkiBase<any>
  The other PKI object to compare with
Returns boolean
true if the objects are equal, false otherwise
Inherited from PkiBase.equals
- Defined in packages/pki-lite/src/core/PkiBase.ts:122

getExtensionByName

getExtensionByName(
    name:
        | "SUBJECT_KEY_IDENTIFIER"
        | "KEY_USAGE"
        | "SUBJECT_ALT_NAME"
        | "BASIC_CONSTRAINTS"
        | "CRL_NUMBER"
        | "CRL_DISTRIBUTION_POINTS"
        | "CERTIFICATE_POLICIES"
        | "AUTHORITY_KEY_IDENTIFIER"
        | "EXTENDED_KEY_USAGE"
        | "AUTHORITY_INFO_ACCESS"
        | "CRL_REASON_CODE",
): undefined
| Extension
Parameters
- name:
      | "SUBJECT_KEY_IDENTIFIER"
      | "KEY_USAGE"
      | "SUBJECT_ALT_NAME"
      | "BASIC_CONSTRAINTS"
      | "CRL_NUMBER"
      | "CRL_DISTRIBUTION_POINTS"
      | "CERTIFICATE_POLICIES"
      | "AUTHORITY_KEY_IDENTIFIER"
      | "EXTENDED_KEY_USAGE"
      | "AUTHORITY_INFO_ACCESS"
      | "CRL_REASON_CODE"
Returns undefined | Extension
- Defined in packages/pki-lite/src/x509/Certificate.ts:349

getExtensionByOid

getExtensionByOid(oid: string): undefined | Extension
Parameters
- oid: string
Returns undefined | Extension
- Defined in packages/pki-lite/src/x509/Certificate.ts:345

getExtensionsByName

getExtensionsByName(
    name:
        | "SUBJECT_KEY_IDENTIFIER"
        | "KEY_USAGE"
        | "SUBJECT_ALT_NAME"
        | "BASIC_CONSTRAINTS"
        | "CRL_NUMBER"
        | "CRL_DISTRIBUTION_POINTS"
        | "CERTIFICATE_POLICIES"
        | "AUTHORITY_KEY_IDENTIFIER"
        | "EXTENDED_KEY_USAGE"
        | "AUTHORITY_INFO_ACCESS"
        | "CRL_REASON_CODE",
): Extension[]
Parameters
- name:
      | "SUBJECT_KEY_IDENTIFIER"
      | "KEY_USAGE"
      | "SUBJECT_ALT_NAME"
      | "BASIC_CONSTRAINTS"
      | "CRL_NUMBER"
      | "CRL_DISTRIBUTION_POINTS"
      | "CERTIFICATE_POLICIES"
      | "AUTHORITY_KEY_IDENTIFIER"
      | "EXTENDED_KEY_USAGE"
      | "AUTHORITY_INFO_ACCESS"
      | "CRL_REASON_CODE"
Returns Extension[]
- Defined in packages/pki-lite/src/x509/Certificate.ts:359

getExtensionsByOid

getExtensionsByOid(oid: string): Extension[]
Parameters
- oid: string
Returns Extension[]
- Defined in packages/pki-lite/src/x509/Certificate.ts:355

getHash

getHash(algorithm?: HashAlgorithm): Promise<Uint8Array<ArrayBufferLike>>
Parameters
- algorithm: HashAlgorithm = 'SHA-1'
Returns Promise<Uint8Array<ArrayBufferLike>>
- Defined in packages/pki-lite/src/x509/Certificate.ts:220

getIssuerSerial

getIssuerSerial(): IssuerSerial
Returns IssuerSerial
- Defined in packages/pki-lite/src/x509/Certificate.ts:226

getSubjectPublicKeyInfo

getSubjectPublicKeyInfo(): SubjectPublicKeyInfo
Returns SubjectPublicKeyInfo
- Defined in packages/pki-lite/src/x509/Certificate.ts:363

isIssuedBy

isIssuedBy(issuer: Certificate): Promise<boolean>
Parameters
- issuer: Certificate
Returns Promise<boolean>
- Defined in packages/pki-lite/src/x509/Certificate.ts:564

isSelfSigned

isSelfSigned(): Promise<boolean>
Returns Promise<boolean>
- Defined in packages/pki-lite/src/x509/Certificate.ts:582

parseAs

parseAs<T>(type: ParseableAsn1<T>): T
Parses this object as a different PKI type. Useful for converting between related PKI structures.
Type Parameters
- T
  The target type to parse as
Parameters
- type: ParseableAsn1<T>
  The target type constructor with parsing capabilities
Returns T
A new instance of the target type
Inherited from PkiBase.parseAs
- Defined in packages/pki-lite/src/core/PkiBase.ts:134

requestCrl

requestCrl(
options?: { crlDistributionPointUrls?: string[] },
): Promise<undefined | CertificateList>
Parameters
- Optionaloptions: { crlDistributionPointUrls?: string[] }
Returns Promise<undefined | CertificateList>
- Defined in packages/pki-lite/src/x509/Certificate.ts:367

requestIssuerCertificate

requestIssuerCertificate(
options?: { issuerCertificateUrls?: string[] },
): Promise<undefined | Certificate>
Parameters
- Optionaloptions: { issuerCertificateUrls?: string[] }
Returns Promise<undefined | Certificate>
- Defined in packages/pki-lite/src/x509/Certificate.ts:498

requestOcsp

requestOcsp(
    options?: {
        issuerCertificate?: Certificate;
        issuerCertificateUrls?: string[];
        ocspResponderUrls?: string[];
    },
): Promise<undefined | OCSPResponse>
Parameters
- Optionaloptions: {
      issuerCertificate?: Certificate;
      issuerCertificateUrls?: string[];
      ocspResponderUrls?: string[];
  }
Returns Promise<undefined | OCSPResponse>
- Defined in packages/pki-lite/src/x509/Certificate.ts:424

toAsn1

toAsn1(): Asn1BaseBlock
Converts the certificate to an ASN.1 structure.

Returns Asn1BaseBlock
Overrides PkiBase.toAsn1
- Defined in packages/pki-lite/src/x509/Certificate.ts:133

toDer

toDer(): Uint8Array
Converts this PKI object to DER (Distinguished Encoding Rules) format.

Returns Uint8Array
The DER-encoded bytes of this object
Inherited from PkiBase.toDer
- Defined in packages/pki-lite/src/core/PkiBase.ts:100

toHumanString

toHumanString(): string
Returns a human-readable string representation of this object. By default, returns the same as toString(), but subclasses can override for more user-friendly output.

Returns string
A human-readable string representation
Inherited from PkiBase.toHumanString
- Defined in packages/pki-lite/src/core/PkiBase.ts:90

toJSON

toJSON(): ToJson<T>
Converts this object to a JSON representation.

Returns ToJson<T>
A JSON-serializable representation of this object
Inherited from PkiBase.toJSON
- Defined in packages/pki-lite/src/core/PkiBase.ts:69

toPem

toPem(): string
Converts this PKI object to PEM (Privacy-Enhanced Mail) format.

Returns string
A PEM-encoded string with appropriate headers
Inherited from PkiBase.toPem
- Defined in packages/pki-lite/src/core/PkiBase.ts:109

toString

toString(): string
Returns a string representation of this PKI object. Includes the type name and ASN.1 structure.

Returns string
A string representation for debugging
Inherited from PkiBase.toString
- Defined in packages/pki-lite/src/core/PkiBase.ts:79

validate

validate(
options?: CertificateValidationOptions,
): Promise<CertificateValidationResult>
Parameters
- Optionaloptions: CertificateValidationOptions
Returns Promise<CertificateValidationResult>
- Defined in packages/pki-lite/src/x509/Certificate.ts:586

`Static`createCertificate

createCertificate(
    options: {
        algorithm?: AsymmetricEncryptionAlgorithmParams;
        extensions?: Extension[];
        issuer: Certificate;
        privateKeyInfo: PrivateKeyInfo;
        serialNumber?: Uint8Array<ArrayBufferLike>;
        subject: string | RDNSequence;
        subjectPublicKeyInfo: SubjectPublicKeyInfo;
        validity: { notAfter: Date; notBefore: Date };
    },
): Promise<Certificate>
Parameters
- options: {
      algorithm?: AsymmetricEncryptionAlgorithmParams;
      extensions?: Extension[];
      issuer: Certificate;
      privateKeyInfo: PrivateKeyInfo;
      serialNumber?: Uint8Array<ArrayBufferLike>;
      subject: string | RDNSequence;
      subjectPublicKeyInfo: SubjectPublicKeyInfo;
      validity: { notAfter: Date; notBefore: Date };
  }
Returns Promise<Certificate>
- Defined in packages/pki-lite/src/x509/Certificate.ts:284

`Static`createSelfSigned

createSelfSigned(
    options: {
        algorithm?: AsymmetricEncryptionAlgorithmParams;
        extensions?: Extension[];
        privateKeyInfo: PrivateKeyInfo;
        subject: string | RDNSequence;
        subjectPublicKeyInfo: SubjectPublicKeyInfo;
        validity: { notAfter: Date; notBefore: Date };
    },
): Promise<Certificate>
Parameters
- options: {
      algorithm?: AsymmetricEncryptionAlgorithmParams;
      extensions?: Extension[];
      privateKeyInfo: PrivateKeyInfo;
      subject: string | RDNSequence;
      subjectPublicKeyInfo: SubjectPublicKeyInfo;
      validity: { notAfter: Date; notBefore: Date };
  }
Returns Promise<Certificate>
- Defined in packages/pki-lite/src/x509/Certificate.ts:230

`Static`fromAsn1

fromAsn1(asn1: Asn1BaseBlock): Certificate
Creates a Certificate from an ASN.1 structure.
Parameters
- asn1: Asn1BaseBlock
  The ASN.1 structure
Returns Certificate
The Certificate
- Defined in packages/pki-lite/src/x509/Certificate.ts:150

`Static`fromDer

fromDer(der: Uint8Array): Certificate
Parameters
- der: Uint8Array
Returns Certificate
- Defined in packages/pki-lite/src/x509/Certificate.ts:212

`Static`fromPem

fromPem(pem: string): Certificate
Parameters
- pem: string
Returns Certificate
- Defined in packages/pki-lite/src/x509/Certificate.ts:216

Class Certificate

Asn

Example

Hierarchy (View Summary)

Index

Constructors

Properties

Accessors

Methods

Constructors

constructor

Parameters

signatureAlgorithm: AlgorithmIdentifier

signatureValue: Uint8Array<ArrayBufferLike> | BitString

tbsCertificate: TBSCertificate

Returns Certificate

Properties

signatureAlgorithm

signatureValue

tbsCertificate

StaticTBSCertificate

Accessors

pemHeader

Returns string

pkiType

Returns string

Methods

equals

Parameters

Returns boolean

getExtensionByName

Parameters

Returns undefined | Extension

getExtensionByOid

Parameters

Returns undefined | Extension

getExtensionsByName

Parameters

Returns Extension[]

getExtensionsByOid

Parameters

Returns Extension[]

getHash

Parameters

Returns Promise<Uint8Array<ArrayBufferLike>>

getIssuerSerial

Returns IssuerSerial

getSubjectPublicKeyInfo

Returns SubjectPublicKeyInfo

isIssuedBy

Parameters

Returns Promise<boolean>

isSelfSigned

Returns Promise<boolean>

parseAs

Type Parameters

Parameters

Returns T

requestCrl

Parameters

Returns Promise<undefined | CertificateList>

requestIssuerCertificate

Parameters

Returns Promise<undefined | Certificate>

requestOcsp

Parameters

Returns Promise<undefined | OCSPResponse>

toAsn1

Returns Asn1BaseBlock

toDer

Returns Uint8Array

toHumanString

Returns string

toJSON

Returns ToJson<T>

toPem

Returns string

toString

Returns string

validate

`Static`TBSCertificate

`Static`createCertificate

`Static`createSelfSigned

`Static`fromAsn1

`Static`fromDer

`Static`fromPem