How to generate X.509v3 self-signed certificate in PEM format with Node.JS

I thought this would be way harder, but thanks to the node-forge library and their perfect documentation, this was a breeze!

After some experimentation I have modified their example code to have the very basic way to generate a X.509v3 self-signed certificate in PEM format.

// import libraries
const forge = require('node-forge');
const crypto = require('crypto');
const fs = require('fs');
const pki = forge.pki;

// generate a keypair and create an X.509v3 certificate
var keys = pki.rsa.generateKeyPair(2048);
var cert = pki.createCertificate();
cert.publicKey = keys.publicKey;

// NOTE: serialNumber is the hex encoded value of an ASN.1 INTEGER.
// Conforming CAs should ensure serialNumber is:
// - no more than 20 octets
// - non-negative (prefix a '00' if your value starts with a '1' bit)
cert.serialNumber = '01' + crypto.randomBytes(19).toString("hex"); // 1 octet = 8 bits = 1 byte = 2 hex chars
cert.validity.notBefore = new Date();
cert.validity.notAfter = new Date();
cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1); // adding 1 year of validity from now
var attrs = [{
    name: 'commonName',
    value: 'example.org'
}, {
    name: 'countryName',
    value: 'US'
}, {
    shortName: 'ST',
    value: 'Texas'
}, {
    name: 'localityName',
    value: 'Austin'
}, {
    name: 'organizationName',
    value: 'Texas Toast Coffee Shop'
}, {
    shortName: 'OU',
    value: 'Test'
}];
cert.setSubject(attrs);
cert.setIssuer(attrs);
cert.setExtensions([{
    name: 'basicConstraints',
    cA: true
}, {
    name: 'keyUsage',
    keyCertSign: true,
    digitalSignature: true,
    nonRepudiation: true,
    keyEncipherment: true,
    dataEncipherment: true
}, {
    name: 'extKeyUsage',
    serverAuth: true,
    clientAuth: true,
    codeSigning: true,
    emailProtection: true,
    timeStamping: true
}, {
    name: 'nsCertType',
    client: true,
    server: true,
    email: true,
    objsign: true,
    sslCA: true,
    emailCA: true,
    objCA: true
}, {
    name: 'subjectAltName',
    altNames: [{
        type: 6, // URI
        value: 'http://texas-toast.coffee/shop'
    }, {
        type: 7, // IP
        ip: '127.0.0.1'
    }]
}, {
    name: 'subjectKeyIdentifier'
}]);

// self-sign certificate
cert.sign(keys.privateKey);

// convert a Forge certificate to PEM
var pem = pki.certificateToPem(cert);

console.log();
console.log(pem); // <-- This is what you want!
console.log();

// write it to a file
var fname = './certs/cert_' + cert.serialNumber + '.pem'
fs.writeFileSync(fname, pem);
You may change the parameters about the company information and such but that’s pretty much it.
Your console output should be similar to this:
pi@raspberrypi:~/Codes/NodeJS/tests $ sudo node gc.js 

-----BEGIN CERTIFICATE-----
MIIENzCCAx+gAwIBAgIUAcmN0yRphbdwcep7Z7Py/4zuRgswDQYJKoZIhvcNAQEF
BQAwdTEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI
EwVUZXhhczEPMA0GA1UEBxMGQXVzdGluMSAwHgYDVQQKExdUZXhhcyBUb2FzdCBD
b2ZmZWUgU2hvcDENMAsGA1UECxMEVGVzdDAeFw0yMDExMDExMzQ3MzlaFw0yMTEx
MDExMzQ3MzlaMHUxFDASBgNVBAMTC2V4YW1wbGUub3JnMQswCQYDVQQGEwJVUzEO
MAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1c3RpbjEgMB4GA1UEChMXVGV4YXMg
VG9hc3QgQ29mZmVlIFNob3AxDTALBgNVBAsTBFRlc3QwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDJ4Vo/5MXhuS5o4jJkbSu9WKBpCOjWyOrIo5osQ1vm
ycSj/3/A3F+4P51AdQwemEr1LiUbHhccKPX7spRFSJJs5cbAivsF1rJIOjRRdLvw
+VsqWcy+MN9ASymZq/wYAsDOKnfIMoFhjhhQ4tFOfvNvrB/oWfZ2aeX8D0uFPRtu
OlHhgW+oAlEcBL4odE9zV6Yo+GmJ8siou+kQrJZxR3zEfQcfzbvfu8YE5DHAnlxy
dxMU2o7x4BGg7miUCvY0Ki0LyBtMSFpI4vdsTWbkErK7XeRi61NycREocSPWFO0G
j1FyD2knf17So5g9zSvR5pBX3p9d6SO0qpuqHU402UF/AgMBAAGjgb4wgbswDAYD
VR0TBAUwAwEB/zALBgNVHQ8EBAMCAvQwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsG
AQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIMBEGCWCGSAGG+EIB
AQQEAwIA9zAvBgNVHREEKDAmhh5odHRwOi8vdGV4YXMtdG9hc3QuY29mZmVlL3No
b3CHBH8AAAEwHQYDVR0OBBYEFMCcMf6MbUSnQ2ghv1XwtL2q1Gf9MA0GCSqGSIb3
DQEBBQUAA4IBAQBoRUjrfiRjoyJeJeArY2Gsiv4yZApKWi1/hykHSW4wBpSb+60u
fBz9M+YbNd6uRkMjgoBxk0pCCMy1116snZ0KSUzgCo944SqiRSLAkOpe/TCbpXqi
+igDF4DRKr4OCbPUzXB1VtZfNBc4OvU3hFAw5sv2rr/YxPmhaoh5RqtYGWw+t4b/
A9ij2T5lUprF4O3Vd8jOPmtFHKQbWEa7/lx5axxbxLM2PoEKHyK5TYEMnKbtQ2Fp
5mHnZ7Ob/po168XQcUuV6HWi2lG5jIaO8/iKwp6JhVd3D+jGyIkMj/KsjG7RE0ga
KjOOPh2g8UwLEELWe/2R4KvrRthYt5QII5Dm
-----END CERTIFICATE-----

Sources:

Leave a Comment

Your email address will not be published. Required fields are marked *