Usage in Deno
import { X509Certificate } from "node:crypto";
Encapsulates an X509 certificate and provides read-only access to its information.
const { X509Certificate } = await import('node:crypto');
const x509 = new X509Certificate('{... pem encoded cert ...}');
console.log(x509.subject);
X509Certificate(buffer: BinaryLike)
ca: boolean
Will be `true` if this is a Certificate Authority (CA) certificate.
fingerprint: string
The SHA-1 fingerprint of this certificate.
Because SHA-1 is cryptographically broken and because the security of SHA-1 is
significantly worse than that of algorithms that are commonly used to sign
certificates, consider using x509.fingerprint256
instead.
fingerprint256: string
The SHA-256 fingerprint of this certificate.
fingerprint512: string
The SHA-512 fingerprint of this certificate.
Because computing the SHA-256 fingerprint is usually faster and because it is
only half the size of the SHA-512 fingerprint, x509.fingerprint256
may be
a better choice. While SHA-512 presumably provides a higher level of security in
general, the security of SHA-256 matches that of most algorithms that are
commonly used to sign certificates.
infoAccess: string | undefined
A textual representation of the certificate's authority information access extension.
This is a line feed separated list of access descriptions. Each line begins with the access method and the kind of the access location, followed by a colon and the value associated with the access location.
After the prefix denoting the access method and the kind of the access location, the remainder of each line might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.
issuer: string
The issuer identification included in this certificate.
issuerCertificate: X509Certificate | undefined
The issuer certificate or undefined
if the issuer certificate is not
available.
keyUsage: string[]
An array detailing the key usages for this certificate.
raw: Buffer
A Buffer
containing the DER encoding of this certificate.
serialNumber: string
The serial number of this certificate.
Serial numbers are assigned by certificate authorities and do not uniquely
identify certificates. Consider using x509.fingerprint256
as a unique
identifier instead.
subject: string
The complete subject of this certificate.
subjectAltName: string | undefined
The subject alternative name specified for this certificate.
This is a comma-separated list of subject alternative names. Each entry begins with a string identifying the kind of the subject alternative name followed by a colon and the value associated with the entry.
Earlier versions of Node.js incorrectly assumed that it is safe to split this
property at the two-character sequence ', '
(see CVE-2021-44532). However,
both malicious and legitimate certificates can contain subject alternative names
that include this sequence when represented as a string.
After the prefix denoting the type of the entry, the remainder of each entry might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.
validFrom: string
The date/time from which this certificate is considered valid.
validTo: string
The date/time until which this certificate is considered valid.
checkEmail(email: string,options?: Pick<X509CheckOptions, "subject">,): string | undefined
Checks whether the certificate matches the given email address.
If the 'subject'
option is undefined or set to 'default'
, the certificate
subject is only considered if the subject alternative name extension either does
not exist or does not contain any email addresses.
If the 'subject'
option is set to 'always'
and if the subject alternative
name extension either does not exist or does not contain a matching email
address, the certificate subject is considered.
If the 'subject'
option is set to 'never'
, the certificate subject is never
considered, even if the certificate contains no subject alternative names.
checkHost(name: string,options?: X509CheckOptions,): string | undefined
Checks whether the certificate matches the given host name.
If the certificate matches the given host name, the matching subject name is
returned. The returned name might be an exact match (e.g., foo.example.com
)
or it might contain wildcards (e.g., *.example.com
). Because host name
comparisons are case-insensitive, the returned subject name might also differ
from the given name
in capitalization.
If the 'subject'
option is undefined or set to 'default'
, the certificate
subject is only considered if the subject alternative name extension either does
not exist or does not contain any DNS names. This behavior is consistent with RFC 2818 ("HTTP Over TLS").
If the 'subject'
option is set to 'always'
and if the subject alternative
name extension either does not exist or does not contain a matching DNS name,
the certificate subject is considered.
If the 'subject'
option is set to 'never'
, the certificate subject is never
considered, even if the certificate contains no subject alternative names.
checkIP(ip: string): string | undefined
Checks whether the certificate matches the given IP address (IPv4 or IPv6).
Only RFC 5280 iPAddress
subject alternative names are considered, and they
must match the given ip
address exactly. Other subject alternative names as
well as the subject field of the certificate are ignored.
checkIssued(otherCert: X509Certificate): boolean
Checks whether this certificate was issued by the given otherCert
.
checkPrivateKey(privateKey: KeyObject): boolean
Checks whether the public key for this certificate is consistent with the given private key.
toJSON(): string
There is no standard JSON encoding for X509 certificates. ThetoJSON()
method returns a string containing the PEM encoded
certificate.
Returns information about this certificate using the legacy certificate object
encoding.
toString(): string
Returns the PEM-encoded certificate.