Class X509Certificate

Encapsulates an X509 certificate and provides read-only access to its information.

const { X509Certificate } = await import('node:crypto');

const x509 = new X509Certificate('{... pem encoded cert ...}');

console.log(x509.subject);

Since

v15.6.0

Hierarchy

  • X509Certificate

Constructors

constructor

Properties

ca fingerprint fingerprint256 fingerprint512 infoAccess issuer issuerCertificate? keyUsage publicKey raw serialNumber subject subjectAltName validFrom validTo

Methods

checkEmail checkHost checkIP checkIssued checkPrivateKey toJSON toLegacyObject toString verify

Constructors

constructor

Properties

Readonly ca

ca: boolean

Will be true if this is a Certificate Authority (CA) certificate.

Since

v15.6.0

Readonly fingerprint

fingerprint: string

The SHA-1 fingerprint of this certificate.

Because SHA-1 is cryptographically broken and because the security of SHA-1 is significantly worse than that of algorithms that are commonly used to sign certificates, consider using x509.fingerprint256 instead.

Since

v15.6.0

Readonly fingerprint256

fingerprint256: string

The SHA-256 fingerprint of this certificate.

Since

v15.6.0

Readonly fingerprint512

fingerprint512: string

The SHA-512 fingerprint of this certificate.

Because computing the SHA-256 fingerprint is usually faster and because it is only half the size of the SHA-512 fingerprint, x509.fingerprint256 may be a better choice. While SHA-512 presumably provides a higher level of security in general, the security of SHA-256 matches that of most algorithms that are commonly used to sign certificates.

Since

v17.2.0, v16.14.0

Readonly infoAccess

infoAccess: undefined | string

A textual representation of the certificate's authority information access extension.

This is a line feed separated list of access descriptions. Each line begins with the access method and the kind of the access location, followed by a colon and the value associated with the access location.

After the prefix denoting the access method and the kind of the access location, the remainder of each line might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.

Since

v15.6.0

Readonly issuer

issuer: string

The issuer identification included in this certificate.

Since

v15.6.0

Optional Readonly issuerCertificate

issuerCertificate?: X509Certificate

The issuer certificate or undefined if the issuer certificate is not available.

Since

v15.9.0

Readonly keyUsage

keyUsage: string[]

An array detailing the key usages for this certificate.

Since

v15.6.0

Readonly publicKey

publicKey: KeyObject

The public key KeyObject for this certificate.

Since

v15.6.0

Readonly raw

raw: Buffer

A Buffer containing the DER encoding of this certificate.

Since

v15.6.0

Readonly serialNumber

serialNumber: string

The serial number of this certificate.

Serial numbers are assigned by certificate authorities and do not uniquely identify certificates. Consider using x509.fingerprint256 as a unique identifier instead.

Since

v15.6.0

Readonly subject

subject: string

The complete subject of this certificate.

Since

v15.6.0

Readonly subjectAltName

subjectAltName: undefined | string

The subject alternative name specified for this certificate.

This is a comma-separated list of subject alternative names. Each entry begins with a string identifying the kind of the subject alternative name followed by a colon and the value associated with the entry.

Earlier versions of Node.js incorrectly assumed that it is safe to split this property at the two-character sequence ', ' (see CVE-2021-44532). However, both malicious and legitimate certificates can contain subject alternative names that include this sequence when represented as a string.

After the prefix denoting the type of the entry, the remainder of each entry might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.

Since

v15.6.0

Readonly validFrom

validFrom: string

The date/time from which this certificate is considered valid.

Since

v15.6.0

Readonly validTo

validTo: string

The date/time until which this certificate is considered valid.

Since

v15.6.0

Methods

checkEmail

  • Checks whether the certificate matches the given email address.

    If the 'subject' option is undefined or set to 'default', the certificate subject is only considered if the subject alternative name extension either does not exist or does not contain any email addresses.

    If the 'subject' option is set to 'always' and if the subject alternative name extension either does not exist or does not contain a matching email address, the certificate subject is considered.

    If the 'subject' option is set to 'never', the certificate subject is never considered, even if the certificate contains no subject alternative names.

    Parameters

    Returns undefined | string

    Returns email if the certificate matches, undefined if it does not.

    Since

    v15.6.0

checkHost

  • Checks whether the certificate matches the given host name.

    If the certificate matches the given host name, the matching subject name is returned. The returned name might be an exact match (e.g., foo.example.com) or it might contain wildcards (e.g., *.example.com). Because host name comparisons are case-insensitive, the returned subject name might also differ from the given name in capitalization.

    If the 'subject' option is undefined or set to 'default', the certificate subject is only considered if the subject alternative name extension either does not exist or does not contain any DNS names. This behavior is consistent with RFC 2818 ("HTTP Over TLS").

    If the 'subject' option is set to 'always' and if the subject alternative name extension either does not exist or does not contain a matching DNS name, the certificate subject is considered.

    If the 'subject' option is set to 'never', the certificate subject is never considered, even if the certificate contains no subject alternative names.

    Parameters

    Returns undefined | string

    Returns a subject name that matches name, or undefined if no subject name matches name.

    Since

    v15.6.0

checkIP

  • Checks whether the certificate matches the given IP address (IPv4 or IPv6).

    Only RFC 5280 iPAddress subject alternative names are considered, and they must match the given ip address exactly. Other subject alternative names as well as the subject field of the certificate are ignored.

    Parameters

    • ip: string

    Returns undefined | string

    Returns ip if the certificate matches, undefined if it does not.

    Since

    v15.6.0

checkIssued

  • Checks whether this certificate was issued by the given otherCert.

    Parameters

    Returns boolean

    Since

    v15.6.0

checkPrivateKey

  • Checks whether the public key for this certificate is consistent with the given private key.

    Parameters

    Returns boolean

    Since

    v15.6.0

toJSON

  • There is no standard JSON encoding for X509 certificates. ThetoJSON() method returns a string containing the PEM encoded certificate.

    Returns string

    Since

    v15.6.0

toLegacyObject

  • Returns information about this certificate using the legacy certificate object encoding.

    Returns PeerCertificate

    Since

    v15.6.0

toString

  • Returns the PEM-encoded certificate.

    Returns string

    Since

    v15.6.0

verify

  • Verifies that this certificate was signed by the given public key. Does not perform any other validation checks on the certificate.

    Parameters

    Returns boolean

    Since

    v15.6.0

Settings

Member Visibility

Theme

On This Page

Generated using TypeDoc