@small-tech/auto-encrypt 4.3.0 → 5.0.0

package/lib/Certificate.js

@@ -1,17 +1,18 @@
 /**
- * Represents a Let’s Encrypt TLS certificate.
- *
- * @module
- * @copyright Copyright © 2020 Aral Balkan, Small Technology Foundation.
- * @license AGPLv3 or later.
- */
+  Represents a Let’s Encrypt TLS certificate.
+
+  @module
+  @copyright Copyright © 2020-present Aral Balkan, Small Technology Foundation.
+  @license AGPLv3 or later.
+*/
 
 import fs from 'fs'
 import tls from 'tls'
 import util from 'util'
-import moment from 'moment'
+import { Temporal } from 'temporal-polyfill'
 import log from './util/log.js'
-import { Certificate as X509Certificate } from './x.509/rfc5280.js'
+import fromNow from './util/fromNow.js'
+import { Certificate as X509Certificate, CertificateSerialNumber } from './x.509/rfc5280.js'
 import Account from './Account.js'
 import AccountIdentity from './identities/AccountIdentity.js'
 import Directory from './Directory.js'
@@ -25,18 +26,18 @@ const throws = new Throws({
 })
 
 /**
- * Represents a Let’s Encrypt TLS certificate.
- *
- * @alias module:lib/Certificate
- * @param {String[]} domains List of domains this certificate covers.
- */
+  Represents a Let’s Encrypt TLS certificate.
+
+  @alias module:lib/Certificate
+  @param {String[]} domains List of domains this certificate covers.
+*/
 export default class Certificate {
   /**
-   * Get a SecureContext that can be used in an SNICallback.
-   *
-   * @category async
-   * @returns {Promise<tls.SecureContext>} A promise for a SecureContext that can be used in creating https servers.
-   */
+    Get a SecureContext that can be used in an SNICallback.
+
+    @category async
+    @returns {Promise<tls.SecureContext>} A promise for a SecureContext that can be used in creating https servers.
+  */
   async getSecureContext () {
     if (!this.#secureContext) {
       if (this.#busyCreatingSecureContextForTheFirstTime) {
@@ -50,14 +51,14 @@ export default class Certificate {
   }
 
   /**
-   * Creates an instance of Certificate.
-   *
-   * @param {Configuration} configuration Configuration instance.
-   */
+    Creates an instance of Certificate.
+
+    @param {import('./Configuration.js').default|void} configuration Configuration instance.
+  */
   constructor (configuration = throws.ifMissing()) {
-    this.#configuration = configuration
+    this.#configuration = /** @type {import('./Configuration.js').default} */ (configuration)
     this.attemptToRecoverFromFailedRenewalAttemptIfNecessary()
-    this.#domains = configuration.domains
+    this.#domains = this.#configuration.domains
 
     // If the certificate already exists, load and cache it.
     if (fs.existsSync(this.#configuration.certificatePath)) {
@@ -67,7 +68,7 @@ export default class Certificate {
       log('   📃    ❨auto-encrypt❩ Certificate exists, loaded it (and the corresponding private key) from disk.')
       this.startCheckingForRenewal(/* alsoCheckNow = */ true)
     } else {
-      log('   📃    ❨auto-encrypt❩ Certificate does not exist; will be provisioned on first hit of the server.')
+      log('   📃    ❨auto-encrypt❩ Certificate does not exist; will be provisioned at server start.')
     }
   }
 
@@ -75,39 +76,46 @@ export default class Certificate {
   // Private.
   //
 
+  /** @type {import('./Configuration.js').default} */
   #configuration = null
   #account = null
   #accountIdentity = null
   #directory = null
   #secureContext = null
   #domains = null
-  #renewalDate = null
   #checkForRenewalIntervalId = null
   #busyCreatingSecureContextForTheFirstTime = false
 
+  /** @type {string | Buffer | Array<string | Buffer> | undefined} */
   #_pem = null
+
   #_identity = null
+
+  /**  @type {string | Buffer | Array<string | Buffer | {
+        pem: string | Buffer;
+        passphrase?: string | undefined;
+    }> | undefined} */
   #_key = null
+
   #_issuer = null
   #_subject = null
   #_alternativeNames = null
   #_serialNumber = null
   #_issueDate = null
   #_expiryDate = null
-  #_hasOcspMustStaple = null
-
-  get isProvisioned     () { return this.#_pem !== null     }
-  get pem               () { return this.#_pem              }
-  get identity          () { return this.#_identity         }
-  get key               () { return this.#_key              }
-  get serialNumber      () { return this.#_serialNumber     }
-  get issuer            () { return this.#_issuer           }
-  get subject           () { return this.#_subject          }
-  get alternativeNames  () { return this.#_alternativeNames }
-  get issueDate         () { return this.#_issueDate        }
-  get expiryDate        () { return this.#_expiryDate       }
-  get renewalDate       () { return this.#renewalDate       }
-  get hasOcspMustStaple () { return this.#_hasOcspMustStaple }
+  #_ariCertId = null
+
+  get isProvisioned     () { return this.#_pem !== null      }
+  get pem               () { return this.#_pem               }
+  get identity          () { return this.#_identity          }
+  get key               () { return this.#_key               }
+  get serialNumber      () { return this.#_serialNumber      }
+  get issuer            () { return this.#_issuer            }
+  get subject           () { return this.#_subject           }
+  get alternativeNames  () { return this.#_alternativeNames  }
+  get issueDate         () { return this.#_issueDate         }
+  get expiryDate        () { return this.#_expiryDate        }
+  get ariCertId         () { return this.#_ariCertId         }
 
   set pem (certificatePem) {
     this.#_pem = certificatePem
@@ -117,19 +125,20 @@ export default class Certificate {
     this.#_issuer            = details.issuer
     this.#_subject           = details.subject
     this.#_alternativeNames  = details.alternativeNames
-    this.#_issueDate         = moment(details.issuedAt)
-    this.#_expiryDate        = moment(details.expiresAt)
-    this.#_hasOcspMustStaple = details.hasOcspMustStaple
+    this.#_issueDate         = Temporal.Instant.from(details.issuedAt.toISOString())
+    this.#_expiryDate        = Temporal.Instant.from(details.expiresAt.toISOString())
+    this.#_ariCertId         = details.ariCertId
 
     // Display the certificate with a nice border :)
     const logMessagePrefix = '         ❨auto-encrypt❩ '
+
     let logMessageBody = [
       `Serial number    : ${details.serialNumber}`,
       `Issuer           : ${details.issuer}`,
       `Subject          : ${details.subject}`,
-      `Alternative names: ${details.alternativeNames.reduce((string, name) => `${string}, ${name}`)}`,
-      `Issued on        : ${this.issueDate.calendar().toLowerCase()} (${this.issueDate.fromNow()})`,
-      `Expires on       : ${this.expiryDate.calendar().toLowerCase()} (${this.expiryDate.fromNow()})`
+      `Alternative names: ${details.alternativeNames.reduce((/** @type { string } */ string, /** @type { string } */ name) => `${string}, ${name}`)}`,
+      `Issued on        : ${this.issueDate.toLocaleString()} (${fromNow(this.issueDate)})`,
+      `Expires on       : ${this.expiryDate.toLocaleString()} (${fromNow(this.expiryDate)})`
     ]
 
     const longestLineLength = logMessageBody.reduce((accumulator, currentValue) => currentValue.length > accumulator ? currentValue.length : accumulator, 0)
@@ -150,21 +159,20 @@ export default class Certificate {
     this.#_key = certificateIdentity.privatePEM
   }
 
-  set key              (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'key', 'set via identity')         }
-  set serialNumber     (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'serialNumber', 'set via pem')     }
-  set issuer           (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'issuer', 'set via pem')           }
-  set subject          (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'subject', 'set via pem')          }
-  set alternativeNames (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'alternativeNames', 'set via pem') }
-  set issueDate        (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'issueDate', 'set via pem')        }
-  set expiryDate       (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'expiryDate', 'set via pem')       }
-  set renewalDate      (value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'renewalDate', 'set internally')   }
+  set key              (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'key', 'set via identity')         }
+  set serialNumber     (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'serialNumber', 'set via pem')     }
+  set issuer           (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'issuer', 'set via pem')           }
+  set subject          (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'subject', 'set via pem')          }
+  set alternativeNames (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'alternativeNames', 'set via pem') }
+  set issueDate        (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'issueDate', 'set via pem')        }
+  set expiryDate       (_value) { throws.error(Symbol.for('ReadOnlyAccessorError'), 'expiryDate', 'set via pem')       }
 
   /**
-   * Check if certificate-identity.pem.old or certificate.pem.old files exist.
-   * If they do, it means that something went wrong while  certificate was trying to be
-   * renewed. So restore them and use them and hopefully the next renewal attempt will
-   * succeed or at least buy the administrator of the server some time to fix the issue.
-   */
+    Check if certificate-identity.pem.old or certificate.pem.old files exist.
+    If they do, it means that something went wrong while  certificate was trying to be
+    renewed. So restore them and use them and hopefully the next renewal attempt will
+    succeed or at least buy the administrator of the server some time to fix the issue.
+  */
   attemptToRecoverFromFailedRenewalAttemptIfNecessary () {
     const oldCertificateIdentityPath = `${this.#configuration.certificateIdentityPath}.old`
     const oldCertificatePath = `${this.#configuration.certificatePath}.old`
@@ -190,15 +198,63 @@ export default class Certificate {
   }
 
   /**
-   * Creates and caches a secure context, provisioning a TLS certificate in the process, if necessary.
-   *
-   * @category async
-   * @access private
-   * @param {Boolean} renewCertificate If true, will start the process of renewing the certificate
-   *                                   (but will continue to return the existing certificate until it is ready).
-   * @returns {Promise}                Fulfils immediately if certificate exists and does not need to be
-   *                                   renewed. Otherwise, fulfils when certificate has been provisioned.
-   */
+    Initialises the ACME request, providing an asynchronous lock to prevent race conditions.
+    
+    In Auto Encrypt, the initialisation of ACME state (AcmeRequest, Directory, Account) can be triggered by two independent events:
+
+      1. Renewal check on existing certificate at startup. When the server is created and a certificate already exists on disk, the `Certificate` constructor triggers `checkForRenewal()`. This runs in the background, calls `#initialiseAcmeRequest()`, and is not awaited by the constructor.
+
+      2. An incoming request: When the HTTPS server receives its first request, the SNICallback calls `getSecureContext()` and this, in turn, calls `createSecureContext()` and `#initialiseAcmeRequest()`.
+
+    This is why we use a shared static promise on the AcmeRequest class as a lock to ensure that initialisation only happens once.
+
+    TODO: This is no longer the case with the move to the asynchronous API for AutoEncrypt.https.createServer(). So it should be OK to remove the lock.
+  */
+  async #initialiseAcmeRequest () {
+    if (AcmeRequest.initialised && this.#directory && this.#accountIdentity && this.#account) {
+      return
+    }
+
+    if (AcmeRequest.initialisationPromise) {
+      await AcmeRequest.initialisationPromise
+    }
+
+    if (!AcmeRequest.initialised) {
+      AcmeRequest.initialisationPromise = (async () => {
+        try {
+          log('   ⚙️    ❨auto-encrypt❩ Initialising ACME request state…')
+          const directory = await Directory.getInstanceAsync(this.#configuration)
+          const accountIdentity = new AccountIdentity(this.#configuration)
+          AcmeRequest.initialise(directory, accountIdentity)
+          const account = await Account.getInstanceAsync(this.#configuration)
+          AcmeRequest.account = account
+        } catch (error) {
+          // Reset state on failure so we can try again.
+          AcmeRequest.uninitialise()
+          throw error
+        } finally {
+          AcmeRequest.initialisationPromise = null
+        }
+      })()
+      await AcmeRequest.initialisationPromise
+    }
+
+    // Populate instance references from the static AcmeRequest state.
+    this.#directory = AcmeRequest.directory
+    this.#accountIdentity = AcmeRequest.accountIdentity
+    this.#account = AcmeRequest.account
+  }
+
+  /**
+    Creates and caches a secure context, provisioning a TLS certificate in the process, if necessary.
+
+    @category async
+    @access private
+    @param {Boolean} renewCertificate If true, will start the process of renewing the certificate
+                                      (but will continue to return the existing certificate until it is ready).
+    @returns {Promise}                Fulfils immediately if certificate exists and does not need to be
+                                      renewed. Otherwise, fulfils when certificate has been provisioned.
+  */
   async createSecureContext (renewCertificate = false) {
     // If we’re provisioning a certificate for the first time,
     // block all other calls. If we’re renewing, we don’t
@@ -210,15 +266,10 @@ export default class Certificate {
 
     // If the certificate does not already exist, provision one.
     if (!this.pem || renewCertificate) {
-
       // Initialise all necessary state.
-      this.#directory = await Directory.getInstanceAsync(this.#configuration)
-      this.#accountIdentity = new AccountIdentity(this.#configuration)
-      AcmeRequest.initialise(this.#directory, this.#accountIdentity)
-      this.#account = await Account.getInstanceAsync(this.#configuration)
-      AcmeRequest.account = this.#account
+      await this.#initialiseAcmeRequest()
 
-      await this.provisionCertificate()
+      await this.provisionCertificate(renewCertificate ? this.#_ariCertId : null)
     }
 
     // Create and cache the secure context.
@@ -235,37 +286,38 @@ export default class Certificate {
 
 
   /**
-   * Provisions a new Let’s Encrypt TLS certificate, persists it, and starts checking for
-   * renewals on it every day, starting with the next day.
-   *
-   * @access private
-   * @category async
-   * @returns {Promise} Fulfils once a certificate has been provisioned.
-   */
-  async provisionCertificate () {
+    Provisions a new Let’s Encrypt TLS certificate, persists it, and starts checking for
+    renewals on it every hour, starting with the next hour.
+
+    @access private
+    @param {string|void} ariCertId
+    @category async
+    @returns {Promise} Fulfils once a certificate has been provisioned.
+  */
+  async provisionCertificate (ariCertId = throws.ifMissing()) {
     log(`   🤖    ❨auto-encrypt❩ Provisioning Let’s Encrypt certificates for ${this.#domains}.`)
 
     // Create a new order.
-    const order = await Order.getInstanceAsync(this.#configuration, this.#accountIdentity)
+    const order = await Order.createAsync(this.#configuration, this.#accountIdentity, ariCertId)
 
     // Get the certificate details from the order.
     this.pem = order.certificate
     this.identity = order.certificateIdentity
 
-    // Start checking for renewal updates, every day, starting tomorrow.
+    // Start checking for renewal updates, every hour, starting in an hour.
     this.startCheckingForRenewal(/* alsoCheckNow = */ false)
 
     log(`   🎉    ❨auto-encrypt❩ Successfully provisioned Let’s Encrypt certificate for ${this.#domains}.`)
   }
 
   /**
-   * Starts the certificate renewal process by requesting the creation of a fresh secure context.
-   *
-   * @access private
-   * @returns {Promise} Resolves once certificate is renewed and new secure context is
-   *                               created and cached.
-   * @category async
-   */
+    Starts the certificate renewal process by requesting the creation of a fresh secure context.
+
+    @access private
+    @returns {Promise} Resolves once certificate is renewed and new secure context is
+                                  created and cached.
+    @category async
+  */
   async renewCertificate () {
     //
     // Backup the existing certificate and certificate identity (*.pem → *.pem.old). Then create a new
@@ -301,88 +353,185 @@ export default class Certificate {
 
 
   /**
-   * Checks if the certificate needs to be renewed (if it is within 30 days of its expiry date) and, if so,
-   * renews it. While the method is async, the result is not awaited on usage. Instead, it is a fire-and-forget
-   * method that’s called via a daily interval.
-   *
-   * @access private
-   * @category async
-   * @returns {Promise} Fulfils immediately if certificate doesn’t need renewal. Otherwise, fulfils once certificate
-   *                    has been renewed.
-   */
-  async checkForRenewal () {
+    Checks if the certificate needs to be renewed (if it is within 30 days of its expiry date) and, if so,
+    renews it. While the method is async, the result is not awaited on usage. Instead, it is a fire-and-forget
+    method that’s called via a daily interval.
+
+    @access public
+    @category async
+    @param {boolean} [forceRenew=false] - Force renewal regardless of ARI response (for testing)
+    @returns {Promise} Fulfils immediately if certificate doesn’t need renewal. Otherwise, fulfils once certificate
+                       has been renewed.
+  */
+  async checkForRenewal (forceRenew = false) {
     log( '   🧐    ❨auto-encrypt❩ Checking if we need to renew the certificate… ')
-    const currentDate = moment()
-    if (currentDate.isSameOrAfter(this.#renewalDate)) {
-      //
-      // Certificate needs renewal.
-      //
-      log(`   🌱    ❨auto-encrypt❩ Certificate expires in 30 days or less. Renewing certificate…`)
-      // Note: this is not a blocking process. We transparently start using the new certificate
-      // when it is ready.
+
+    await this.#initialiseAcmeRequest()
+
+    if (forceRenew) {
+      log('   🚨    ❨auto-encrypt❩ Forcing renewal (forceRenew === true)')
+      await this.renewCertificate()
+      log(`   🌱    ❨auto-encrypt❩ Successfully renewed Let’s Encrypt certificate.`)
+      return
+    }
+
+    const renewalInfoUrl = AcmeRequest.directory.renewalInfoUrl
+    if (renewalInfoUrl && this.ariCertId) {
+      try {
+        const response = await fetch(`${renewalInfoUrl}/${this.ariCertId}`)
+
+        if (response.ok) {
+          const renewalInfo = await response.json()
+          const startDate = Temporal.Instant.from(renewalInfo.suggestedWindow.start)
+          const now = Temporal.Now.instant()
+          if (Temporal.Instant.compare(now, startDate) >= 0) {
+            // We’re past the start date of the renewal window. So we should renew.
+            log(`   🌱    ❨auto-encrypt❩ Certificate needs renewal (ARI). Renewing certificate…`)
+            // Note: this is not a blocking process. We transparently start using the new certificate
+            // when it is ready.
+            await this.renewCertificate()
+            log(`   🌱    ❨auto-encrypt❩ Successfully renewed Let’s Encrypt certificate.`)
+          } else {
+            log('   👍    ❨auto-encrypt❩ Certificate does not need renewal (ARI). Will check again in an hour.')
+          }
+          return
+        } else {
+          // If ARI is not supported or the certificate is not found, we fall back to expiry date check.
+          // (404 is the expected response if the server does not have renewal info for the certificate,
+          // while Pebble sometimes returns 400 if the issuer is unknown).
+          if (response.status === 404) {
+            log('   ℹ️    ❨auto-encrypt❩ No ARI renewal information found for this certificate (404). Falling back to expiry check.')
+          } else if (response.status === 400) {
+            const body = await response.json().catch(() => ({}))
+            if (body.detail && body.detail.includes('no known issuer matches')) {
+              log('   ℹ️    ❨auto-encrypt❩ ARI check: Issuer unknown to server (common when using Pebble across multiple runs). Falling back to expiry check.')
+            } else {
+              log(`   ⚠    ❨auto-encrypt❩ ARI check failed (400 Bad Request): ${body.detail || 'Unknown error'}. Falling back to expiry check.`)
+            }
+          } else {
+            log(`   ⚠    ❨auto-encrypt❩ Failed ARI check for certificate renewal (status ${response.status}). Falling back to expiry check.`)
+          }
+        }
+      } catch (error) {
+        log(`   ⚠    ❨auto-encrypt❩ Error during ARI check for certificate renewal: ${error.message}`)
+      }
+    }
+
+    // Fallback: If ARI is not supported or the check failed, use expiry date.
+    log('   🧐    ❨auto-encrypt❩ ARI not available or check failed. Falling back to expiry date check.')
+    const twoDaysInMs = 2 * 24 * 60 * 60 * 1000
+    const now = Temporal.Now.instant()
+    const expiryDate = this.expiryDate
+    const diff = expiryDate.since(now).total({ unit: 'milliseconds' })
+
+    if (diff < twoDaysInMs) {
+      log(`   🌱    ❨auto-encrypt❩ Certificate needs renewal (expiry date). Renewing certificate…`)
       await this.renewCertificate()
       log(`   🌱    ❨auto-encrypt❩ Successfully renewed Let’s Encrypt certificate.`)
     } else {
-      log('   👍    ❨auto-encrypt❩ Certificate has more than 30 days before it expires. Will check again tomorrow.')
+      log('   👍    ❨auto-encrypt❩ Certificate does not need renewal (expiry date). Will check again tomorrow.')
     }
   }
 
 
   /**
-   * Starts checking for certificate renewals every 24 hours.
-   *
-   * @param {boolean} [alsoCheckNow=false] If true, will also immediately check for renewal when the function is
-   *                                       called (use this when loading a previously-provisioned and persisted
-   *                                       certificate from disk).
-   * @category sync
-   * @access private
-   */
+    Starts checking for certificate renewals every hour (as ARI renewal
+    windows on short-lived certificates are short – 2.88 hours starting at around
+    half-way mark of the certificate’s 160 hour lifetime according to
+    https://community.letsencrypt.org/t/ari-recommendation-may-cause-renewal-outside-suggested-window/235059/25).
+
+    @param {boolean} [alsoCheckNow=false] If true, will also immediately check for renewal when the function is
+                                          called (use this when loading a previously-provisioned and persisted
+                                          certificate from disk).
+    @category sync
+    @access public
+  */
   startCheckingForRenewal (alsoCheckNow = false) {
-    //
-    // Check for certificate renewal now and then once every day from there on.
-    //
-    this.#renewalDate = this.expiryDate.clone().subtract(30, 'days')
-
     // Also check for renewal immediately if asked to.
     if (alsoCheckNow) {
       this.checkForRenewal()
     }
 
     // And also once a day from thereon for as long as the server is running.
-    const onceADay = 24 /* hours */ * 60 /* minutes */ * 60 /* seconds */ * 1000 /* ms */
-    this.#checkForRenewalIntervalId = setInterval(this.checkForRenewal.bind(this), onceADay)
+    const onceAnHour = 1 /* hours */ * 60 /* minutes */ * 60 /* seconds */ * 1000 /* ms */
+    this.#checkForRenewalIntervalId = setInterval(this.checkForRenewal.bind(this), onceAnHour)
 
-    log('   ⏰    ❨auto-encrypt❩ Set up timer to check for certificate renewal once a day.')
+    log('   ⏰    ❨auto-encrypt❩ Set up timer to check for certificate renewal (ARI) once an hour.')
   }
 
   /**
-   * Stops the timer that checks for renewal daily. Use this during housekeeping before destroying this object.
-   *
-   * @category sync
-   * @access private
-   */
+    Stops the timer that checks for renewal daily. Use this during housekeeping before destroying this object.
+
+    @category sync
+    @access public
+  */
   stopCheckingForRenewal () {
     clearInterval(this.#checkForRenewalIntervalId)
   }
 
+  /**
+    @param { Uint8Array<ArrayBuffer> | string } input
+  */
+  base64UrlEncode ( input ) {
+    const base64 = Buffer.from(typeof input === 'string' ? new TextEncoder().encode(input) : input).toString('base64')
+
+    return base64
+      .replace(/\+/g, '-') // Replace + with -
+      .replace(/\//g, '_') // Replace / with _
+      .replace(/=+$/, '')  // Remove trailing =
+  }
+
+  /**
+    @param {any} certificatePem - (Typed as any as underlying library doesn’t contain type information.)
+  */
   parseDetails (certificatePem) {
     const certificate = (X509Certificate.decode(certificatePem, 'pem', {label: 'CERTIFICATE'})).tbsCertificate
 
     const serialNumber = certificate.serialNumber
+
+    // Calculate ARI CertID as per RFC 9773 § 4.1.
+    const akiExtension = certificate.extensions.find((/** @type {{ extnID: string }} */ extension) => extension.extnID === 'authorityKeyIdentifier')
+    let ariCertId = null
+    if (akiExtension && akiExtension.extnValue.keyIdentifier) {
+      const encodedAuthorityKeyIdentifier = this.base64UrlEncode(akiExtension.extnValue.keyIdentifier)
+
+      const serialDer = CertificateSerialNumber.encode(serialNumber, 'der')
+      // SerialNumber is an INTEGER. DER for INTEGER is 02 [LENGTH] [CONTENT]
+      // We want only the content octets.
+      let contentStart = 2
+      if (serialDer[1] & 0x80) {
+        // Long form length
+        contentStart = 2 + (serialDer[1] & 0x7f)
+      }
+      const encodedSerialNumber = this.base64UrlEncode(serialDer.slice(contentStart))
+
+      ariCertId = `${encodedAuthorityKeyIdentifier}.${encodedSerialNumber}`
+    }
+
     const issuer = certificate.issuer.value[0][0].value.toString('utf-8').slice(2).trim()
     const issuedAt = new Date(certificate.validity.notBefore.value)
     const expiresAt = new Date(certificate.validity.notAfter.value)
     const subject = certificate.subject.value.length > 0 ? certificate.subject.value[0][0].value.toString('utf-8').slice(2).trim() : '(No subject)'
-    let hasOcspMustStaple = false
 
-    const alternativeNames = ((certificate.extensions.filter(extension => {
+    const alternativeNames = ((certificate.extensions.filter((/** @type {{ extnID:string }} */ extension) => {
       return extension.extnID === 'subjectAlternativeName'
-    }))[0].extnValue).map(name => name.value)
-
-    certificate.extensions.forEach(extension => {
-      if (Array.isArray(extension.extnID) && extension.extnID.join('.') === '1.3.6.1.5.5.7.1.24') {
-        hasOcspMustStaple = true
+    }))[0].extnValue).map((/** @type {{ type: string, value: any }} */ name) => {
+      if (name.type === 'iPAddress') {
+        // IPv4 or IPv6.
+        if (name.value.length === 4) {
+          // IPv4
+          return name.value.join('.')
+        } else if (name.value.length === 16) {
+          // IPv6
+          const groups = []
+          for (let i = 0; i < 16; i += 2) {
+            groups.push(name.value.readUInt16BE(i).toString(16))
+          }
+          // Note: we don’t perform IPv6 compression (RFC 5952) here as this is for a debug display.
+          return groups.join(':')
+        }
       }
+      return name.value
     })
 
     return {
@@ -392,22 +541,17 @@ export default class Certificate {
       alternativeNames,
       issuedAt,
       expiresAt,
-      hasOcspMustStaple
+      ariCertId
     }
   }
 
-  __changeRenewalDate (momentDate) {
-    log('   ⚠    ❨auto-encrypt❩ Warning: changing renewal date on the certificate instance. I hope you know what you’re doing.')
-    this.#renewalDate = momentDate
-  }
-
   get __checkForRenewalIntervalId () {
     return this.#checkForRenewalIntervalId
   }
 
   /**
-   * Custom inspection string.
-   */
+    Custom inspection string.
+  */
   [util.inspect.custom] () {
     return `# Certificate
     ${!this.isProvisioned ? 'Certificate not provisioned.' : `
@@ -416,10 +560,9 @@ export default class Certificate {
       Serial number     .serialNumber     ${this.serialNumber}
       Issuer            .issuer           ${this.issuer}
       Subject           .subject          ${this.subject}
-      Alternative names .alterNativeNames ${this.alternativeNames}
+      Alternative names .alternativeNames ${this.alternativeNames.join(', ')}
       Issue date        .issueDate        ${this.issueDate}
       Expiry date       .expiryDate       ${this.expiryDate}
-      Renewal date      .renewalDate      ${this.renewalDate}
     `}
     `
   }