node-opcua-pki 3.0.2 → 3.1.1

package/lib/misc/subject.ts

@@ -1,141 +1,141 @@
-// ---------------------------------------------------------------------------------------------------------------------
-// node-opcua-pki
-// ---------------------------------------------------------------------------------------------------------------------
-// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
-// Copyright (c) 2022 - Sterfive.com
-// ---------------------------------------------------------------------------------------------------------------------
-//
-// This  project is licensed under the terms of the MIT license.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
-// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
-// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
-// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
-// Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
-// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-// ---------------------------------------------------------------------------------------------------------------------
-
-export interface SubjectOptions {
-    commonName?: string;
-    organization?: string;
-    organizationalUnit?: string;
-    locality?: string;
-    state?: string;
-    country?: string;
-    domainComponent?: string;
-}
-
-const _keys = {
-    C: "country",
-    CN: "commonName",
-    DC: "domainComponent",
-    L: "locality",
-    O: "organization",
-    OU: "organizationalUnit",
-    ST: "state",
-};
-
-const enquoteIfNecessary = (str: string) => {
-    str = str.replace(/"/g, "”");
-    return str.match(/\/|=/) ? `"${str}"` : str;
-};
-const unquote = (str: string) => str.replace(/"/gm, "");
-const unquote2 = (str?: string | undefined) => {
-    if (!str) return str;
-    const m = str.match(/^"(.*)"$/);
-    return m ? m[1] : str;
-};
-/**
- * subjectName	The subject name to use for the Certificate.
- * If not specified the ApplicationName and/or domainNames are used to create a suitable default value.
- */
-export class Subject implements SubjectOptions {
-    public readonly commonName?: string;
-    public readonly organization?: string;
-    public readonly organizationalUnit?: string;
-    public readonly locality?: string;
-    public readonly state?: string;
-    public readonly country?: string;
-    public readonly domainComponent?: string;
-
-    constructor(options: SubjectOptions | string) {
-        if (typeof options === "string") {
-            options = Subject.parse(options);
-        }
-        this.commonName = unquote2(options.commonName);
-        this.organization = unquote2(options.organization);
-        this.organizationalUnit = unquote2(options.organizationalUnit);
-        this.locality = unquote2(options.locality);
-        this.state = unquote2(options.state);
-        this.country = unquote2(options.country);
-        this.domainComponent = unquote2(options.domainComponent);
-    }
-
-    public static parse(str: string): SubjectOptions {
-        const elements = str.split(/\/(?=[^/]*?=)/);
-        const options: Record<string, unknown> = {};
-
-        elements.forEach((element: string) => {
-            if (element.length === 0) {
-                return;
-            }
-            const s: string[] = element.split("=");
-
-            if (s.length !== 2) {
-                throw new Error("invalid format for " + element);
-            }
-            const longName = (_keys as Record<string, string>)[s[0]];
-            if (!longName) {
-                throw new Error("Invalid field found in subject name " + s[0]);
-            }
-            const value = s[1];
-            options[longName] = unquote(Buffer.from(value, "ascii").toString("utf8"));
-        });
-        return options as SubjectOptions;
-    }
-
-    public toStringForOPCUA(): string {
-        // https://reference.opcfoundation.org/v104/GDS/docs/7.6.4/
-        // The format of the subject name is a sequence of name value pairs separated by a ‘/’.
-        // The name shall be one of ‘CN’, ‘O’, ‘OU’, ‘DC’, ‘L’, ‘S’ or ‘C’ and
-        // shall be followed by a ‘=’ and then followed by the value.
-        // The value may be any printable character except for ‘”’.
-        // If the value contains a ‘/’ or a ‘=’ then it shall be enclosed in double quotes (‘”’).
-
-        const tmp: string[] = [];
-        if (this.country) {
-            tmp.push("C=" + enquoteIfNecessary(this.country));
-        }
-        if (this.state) {
-            tmp.push("ST=" + enquoteIfNecessary(this.state));
-        }
-        if (this.locality) {
-            tmp.push("L=" + enquoteIfNecessary(this.locality));
-        }
-        if (this.organization) {
-            tmp.push("O=" + enquoteIfNecessary(this.organization));
-        }
-        if (this.organizationalUnit) {
-            tmp.push("OU=" + enquoteIfNecessary(this.organizationalUnit));
-        }
-        if (this.commonName) {
-            tmp.push("CN=" + enquoteIfNecessary(this.commonName));
-        }
-        if (this.domainComponent) {
-            tmp.push("DC=" + enquoteIfNecessary(this.domainComponent));
-        }
-        return tmp.join("/");
-    }
-    public toString(): string {
-        // standard for SSL is to have a / in front of each Field
-        // see https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
-        const t = this.toStringForOPCUA();
-        return t ? "/" + t : t;
-    }
-}
+// ---------------------------------------------------------------------------------------------------------------------
+// node-opcua-pki
+// ---------------------------------------------------------------------------------------------------------------------
+// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
+// Copyright (c) 2022 - Sterfive.com
+// ---------------------------------------------------------------------------------------------------------------------
+//
+// This  project is licensed under the terms of the MIT license.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+// Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+// ---------------------------------------------------------------------------------------------------------------------
+
+export interface SubjectOptions {
+    commonName?: string;
+    organization?: string;
+    organizationalUnit?: string;
+    locality?: string;
+    state?: string;
+    country?: string;
+    domainComponent?: string;
+}
+
+const _keys = {
+    C: "country",
+    CN: "commonName",
+    DC: "domainComponent",
+    L: "locality",
+    O: "organization",
+    OU: "organizationalUnit",
+    ST: "state",
+};
+
+const enquoteIfNecessary = (str: string) => {
+    str = str.replace(/"/g, "”");
+    return str.match(/\/|=/) ? `"${str}"` : str;
+};
+const unquote = (str: string) => str.replace(/"/gm, "");
+const unquote2 = (str?: string | undefined) => {
+    if (!str) return str;
+    const m = str.match(/^"(.*)"$/);
+    return m ? m[1] : str;
+};
+/**
+ * subjectName	The subject name to use for the Certificate.
+ * If not specified the ApplicationName and/or domainNames are used to create a suitable default value.
+ */
+export class Subject implements SubjectOptions {
+    public readonly commonName?: string;
+    public readonly organization?: string;
+    public readonly organizationalUnit?: string;
+    public readonly locality?: string;
+    public readonly state?: string;
+    public readonly country?: string;
+    public readonly domainComponent?: string;
+
+    constructor(options: SubjectOptions | string) {
+        if (typeof options === "string") {
+            options = Subject.parse(options);
+        }
+        this.commonName = unquote2(options.commonName);
+        this.organization = unquote2(options.organization);
+        this.organizationalUnit = unquote2(options.organizationalUnit);
+        this.locality = unquote2(options.locality);
+        this.state = unquote2(options.state);
+        this.country = unquote2(options.country);
+        this.domainComponent = unquote2(options.domainComponent);
+    }
+
+    public static parse(str: string): SubjectOptions {
+        const elements = str.split(/\/(?=[^/]*?=)/);
+        const options: Record<string, unknown> = {};
+
+        elements.forEach((element: string) => {
+            if (element.length === 0) {
+                return;
+            }
+            const s: string[] = element.split("=");
+
+            if (s.length !== 2) {
+                throw new Error("invalid format for " + element);
+            }
+            const longName = (_keys as Record<string, string>)[s[0]];
+            if (!longName) {
+                throw new Error("Invalid field found in subject name " + s[0]);
+            }
+            const value = s[1];
+            options[longName] = unquote(Buffer.from(value, "ascii").toString("utf8"));
+        });
+        return options as SubjectOptions;
+    }
+
+    public toStringForOPCUA(): string {
+        // https://reference.opcfoundation.org/v104/GDS/docs/7.6.4/
+        // The format of the subject name is a sequence of name value pairs separated by a ‘/’.
+        // The name shall be one of ‘CN’, ‘O’, ‘OU’, ‘DC’, ‘L’, ‘S’ or ‘C’ and
+        // shall be followed by a ‘=’ and then followed by the value.
+        // The value may be any printable character except for ‘”’.
+        // If the value contains a ‘/’ or a ‘=’ then it shall be enclosed in double quotes (‘”’).
+
+        const tmp: string[] = [];
+        if (this.country) {
+            tmp.push("C=" + enquoteIfNecessary(this.country));
+        }
+        if (this.state) {
+            tmp.push("ST=" + enquoteIfNecessary(this.state));
+        }
+        if (this.locality) {
+            tmp.push("L=" + enquoteIfNecessary(this.locality));
+        }
+        if (this.organization) {
+            tmp.push("O=" + enquoteIfNecessary(this.organization));
+        }
+        if (this.organizationalUnit) {
+            tmp.push("OU=" + enquoteIfNecessary(this.organizationalUnit));
+        }
+        if (this.commonName) {
+            tmp.push("CN=" + enquoteIfNecessary(this.commonName));
+        }
+        if (this.domainComponent) {
+            tmp.push("DC=" + enquoteIfNecessary(this.domainComponent));
+        }
+        return tmp.join("/");
+    }
+    public toString(): string {
+        // standard for SSL is to have a / in front of each Field
+        // see https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
+        const t = this.toStringForOPCUA();
+        return t ? "/" + t : t;
+    }
+}

package/lib/pki/certificate_manager.ts

@@ -397,7 +397,7 @@ export class CertificateManager {
                 if (!issuerCertificate) {
                     // if the certificate is not self-signed we ust have a issuer.
                     // but no Issuer is not found
-                    return VerificationStatus.BadSecurityChecksFailed;
+                    return VerificationStatus.BadCertificateChainIncomplete;
                 }
                 const issuerStatus = await this._innerVerifyCertificateAsync(issuerCertificate, true, level + 1);
                 if (issuerStatus === VerificationStatus.BadCertificateRevocationUnknown) {

package/lib/pki/common.ts

@@ -1,5 +1,5 @@
-export type KeySize = 1024 | 2048 | 3072 | 4096;
-export type Thumbprint = string;
-export type Filename = string;
-export type CertificateStatus = "unknown" | "trusted" | "rejected";
-export type ErrorCallback = (err?: Error | null) => void;
+export type KeySize = 1024 | 2048 | 3072 | 4096;
+export type Thumbprint = string;
+export type Filename = string;
+export type CertificateStatus = "unknown" | "trusted" | "rejected";
+export type ErrorCallback = (err?: Error | null) => void;

package/lib/pki/templates/ca_config_template.cnf.ts

@@ -1,129 +1,129 @@
-const config =
-    "#.........DO NOT MODIFY BY HAND .........................\n" +
-    "[ ca ]\n" +
-    "default_ca               = CA_default\n" +
-    "[ CA_default ]\n" +
-    "dir                      = %%ROOT_FOLDER%%            # the main CA folder\n" +
-    "certs                    = $dir/certs                 # where to store certificates\n" +
-    "new_certs_dir            = $dir/certs                 #\n" +
-    "database                 = $dir/index.txt             # the certificate database\n" +
-    "serial                   = $dir/serial                # the serial number counter\n" +
-    "certificate              = $dir/public/cacert.pem     # The root CA certificate\n" +
-    "private_key              = $dir/private/cakey.pem     # the CA private key\n" +
-    "x509_extensions          = usr_cert                   #\n" +
-    "default_days             = 3650                       # default validity : 10 years\n" +
-    "\n" +
-    "# default_md               = sha1\n" +
-    "\n" +
-    "default_md                = sha256                      # The default digest algorithm\n" +
-    "\n" +
-    "preserve                 = no\n" +
-    "policy                   = policy_match\n" +
-    "# randfile                 = $dir/random.rnd\n" +
-    "# default_startdate        = YYMMDDHHMMSSZ\n" +
-    "# default_enddate          = YYMMDDHHMMSSZ\n" +
-    "crl_dir                  = $dir/crl\n" +
-    "crl_extensions           = crl_ext\n" +
-    "crl                      = $dir/revocation_list.crl # the Revocation list\n" +
-    "crlnumber                = $dir/crlnumber           # CRL number file\n" +
-    "default_crl_days         = 30\n" +
-    "default_crl_hours        = 24\n" +
-    "#msie_hack\n" +
-    "\n" +
-    "[ policy_match ]\n" +
-    "countryName              = optional\n" +
-    "stateOrProvinceName      = optional\n" +
-    "localityName             = optional\n" +
-    "organizationName         = optional\n" +
-    "organizationalUnitName   = optional\n" +
-    "commonName               = optional\n" +
-    "emailAddress             = optional\n" +
-    "\n" +
-    "[ req ]\n" +
-    "default_bits             = 4096                     # Size of keys\n" +
-    "default_keyfile          = key.pem                  # name of generated keys\n" +
-    "distinguished_name       = req_distinguished_name\n" +
-    "attributes               = req_attributes\n" +
-    "x509_extensions          = v3_ca\n" +
-    "#input_password\n" +
-    "#output_password\n" +
-    "string_mask              = nombstr                  # permitted characters\n" +
-    "req_extensions           = v3_req\n" +
-    "\n" +
-    "[ req_distinguished_name ]\n" +
-    "\n" +
-    "#0 countryName             = Country Name (2 letter code)\n" +
-    "# countryName_default     = FR\n" +
-    "# countryName_min         = 2\n" +
-    "# countryName_max         = 2\n" +
-    "# stateOrProvinceName     = State or Province Name (full name)\n" +
-    "# stateOrProvinceName_default = Ile de France\n" +
-    "# localityName            = Locality Name (city, district)\n" +
-    "# localityName_default    = Paris\n" +
-    "organizationName          = Organization Name (company)\n" +
-    "organizationName_default  = NodeOPCUA\n" +
-    "# organizationalUnitName  = Organizational Unit Name (department, division)\n" +
-    "# organizationalUnitName_default = R&D\n" +
-    "commonName                = Common Name (hostname, FQDN, IP, or your name)\n" +
-    "commonName_max            = 256\n" +
-    "commonName_default        = NodeOPCUA\n" +
-    "# emailAddress            = Email Address\n" +
-    "# emailAddress_max        = 40\n" +
-    "# emailAddress_default    = node-opcua (at) node-opcua (dot) com\n" +
-    "\n" +
-    "[ req_attributes ]\n" +
-    "#challengePassword        = A challenge password\n" +
-    "#challengePassword_min    = 4\n" +
-    "#challengePassword_max    = 20\n" +
-    "#unstructuredName         = An optional company name\n" +
-    "[ usr_cert ]\n" +
-    "basicConstraints          = critical, CA:FALSE\n" +
-    "subjectKeyIdentifier      = hash\n" +
-    "authorityKeyIdentifier    = keyid,issuer:always\n" +
-    "#authorityKeyIdentifier    = keyid\n" +
-    "subjectAltName            = $ENV::ALTNAME\n" +
-    "# issuerAltName            = issuer:copy\n" +
-    "nsComment                 = ''OpenSSL Generated Certificate''\n" +
-    "#nsCertType               = client, email, objsign for ''everything including object signing''\n" +
-    "#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem\n" +
-    "#nsBaseUrl                =\n" +
-    "#nsRenewalUrl             =\n" +
-    "#nsCaPolicyUrl            =\n" +
-    "#nsSslServerName          =\n" +
-    "keyUsage                  = critical, digitalSignature, nonRepudiation," +
-    " keyEncipherment, dataEncipherment, keyAgreement, keyCertSign\n" +
-    "extendedKeyUsage          = critical,serverAuth ,clientAuth\n" +
-    "\n" +
-    "[ v3_req ]\n" +
-    "basicConstraints          = critical, CA:FALSE\n" +
-    "keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\n" +
-    "extendedKeyUsage          = critical,serverAuth ,clientAuth\n" +
-    "subjectAltName            = $ENV::ALTNAME\n" +
-    "nsComment                 = \"CA Generated by Node-OPCUA Certificate utility using openssl\"\n" +
-    "[ v3_ca ]\n" +
-    "subjectKeyIdentifier      = hash\n" +
-    "authorityKeyIdentifier    = keyid:always,issuer:always\n" +
-    "# authorityKeyIdentifier    = keyid\n" +
-    "basicConstraints          = CA:TRUE\n" +
-    "keyUsage                  = critical, cRLSign, keyCertSign\n" +
-    "nsComment                 = \"CA Certificate generated by Node-OPCUA Certificate utility using openssl\"\n" +
-    "#nsCertType                 = sslCA, emailCA\n" +
-    "#subjectAltName             = email:copy\n" +
-    "#issuerAltName              = issuer:copy\n" +
-    "#obj                        = DER:02:03\n" +
-    "crlDistributionPoints     = @crl_info\n" +
-    "[ crl_info ]\n" +
-    "URI.0                     = http://localhost:8900/crl.pem\n" +
-    "[ v3_selfsigned]\n" +
-    "basicConstraints          = critical, CA:FALSE\n" +
-    "keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\n" +
-    "extendedKeyUsage          = critical,serverAuth ,clientAuth\n" +
-    "nsComment                 = \"Self-signed certificate, generated by NodeOPCUA\"\n" +
-    "subjectAltName            = $ENV::ALTNAME\n" +
-    "\n" +
-    "[ crl_ext ]\n" +
-    "#issuerAltName            = issuer:copy\n" +
-    "authorityKeyIdentifier    = keyid:always,issuer:always\n" +
-    "#authorityInfoAccess       = @issuer_info";
-
-export default config;
+const config =
+    "#.........DO NOT MODIFY BY HAND .........................\n" +
+    "[ ca ]\n" +
+    "default_ca               = CA_default\n" +
+    "[ CA_default ]\n" +
+    "dir                      = %%ROOT_FOLDER%%            # the main CA folder\n" +
+    "certs                    = $dir/certs                 # where to store certificates\n" +
+    "new_certs_dir            = $dir/certs                 #\n" +
+    "database                 = $dir/index.txt             # the certificate database\n" +
+    "serial                   = $dir/serial                # the serial number counter\n" +
+    "certificate              = $dir/public/cacert.pem     # The root CA certificate\n" +
+    "private_key              = $dir/private/cakey.pem     # the CA private key\n" +
+    "x509_extensions          = usr_cert                   #\n" +
+    "default_days             = 3650                       # default validity : 10 years\n" +
+    "\n" +
+    "# default_md               = sha1\n" +
+    "\n" +
+    "default_md                = sha256                      # The default digest algorithm\n" +
+    "\n" +
+    "preserve                 = no\n" +
+    "policy                   = policy_match\n" +
+    "# randfile                 = $dir/random.rnd\n" +
+    "# default_startdate        = YYMMDDHHMMSSZ\n" +
+    "# default_enddate          = YYMMDDHHMMSSZ\n" +
+    "crl_dir                  = $dir/crl\n" +
+    "crl_extensions           = crl_ext\n" +
+    "crl                      = $dir/revocation_list.crl # the Revocation list\n" +
+    "crlnumber                = $dir/crlnumber           # CRL number file\n" +
+    "default_crl_days         = 30\n" +
+    "default_crl_hours        = 24\n" +
+    "#msie_hack\n" +
+    "\n" +
+    "[ policy_match ]\n" +
+    "countryName              = optional\n" +
+    "stateOrProvinceName      = optional\n" +
+    "localityName             = optional\n" +
+    "organizationName         = optional\n" +
+    "organizationalUnitName   = optional\n" +
+    "commonName               = optional\n" +
+    "emailAddress             = optional\n" +
+    "\n" +
+    "[ req ]\n" +
+    "default_bits             = 4096                     # Size of keys\n" +
+    "default_keyfile          = key.pem                  # name of generated keys\n" +
+    "distinguished_name       = req_distinguished_name\n" +
+    "attributes               = req_attributes\n" +
+    "x509_extensions          = v3_ca\n" +
+    "#input_password\n" +
+    "#output_password\n" +
+    "string_mask              = nombstr                  # permitted characters\n" +
+    "req_extensions           = v3_req\n" +
+    "\n" +
+    "[ req_distinguished_name ]\n" +
+    "\n" +
+    "#0 countryName             = Country Name (2 letter code)\n" +
+    "# countryName_default     = FR\n" +
+    "# countryName_min         = 2\n" +
+    "# countryName_max         = 2\n" +
+    "# stateOrProvinceName     = State or Province Name (full name)\n" +
+    "# stateOrProvinceName_default = Ile de France\n" +
+    "# localityName            = Locality Name (city, district)\n" +
+    "# localityName_default    = Paris\n" +
+    "organizationName          = Organization Name (company)\n" +
+    "organizationName_default  = NodeOPCUA\n" +
+    "# organizationalUnitName  = Organizational Unit Name (department, division)\n" +
+    "# organizationalUnitName_default = R&D\n" +
+    "commonName                = Common Name (hostname, FQDN, IP, or your name)\n" +
+    "commonName_max            = 256\n" +
+    "commonName_default        = NodeOPCUA\n" +
+    "# emailAddress            = Email Address\n" +
+    "# emailAddress_max        = 40\n" +
+    "# emailAddress_default    = node-opcua (at) node-opcua (dot) com\n" +
+    "\n" +
+    "[ req_attributes ]\n" +
+    "#challengePassword        = A challenge password\n" +
+    "#challengePassword_min    = 4\n" +
+    "#challengePassword_max    = 20\n" +
+    "#unstructuredName         = An optional company name\n" +
+    "[ usr_cert ]\n" +
+    "basicConstraints          = critical, CA:FALSE\n" +
+    "subjectKeyIdentifier      = hash\n" +
+    "authorityKeyIdentifier    = keyid,issuer:always\n" +
+    "#authorityKeyIdentifier    = keyid\n" +
+    "subjectAltName            = $ENV::ALTNAME\n" +
+    "# issuerAltName            = issuer:copy\n" +
+    "nsComment                 = ''OpenSSL Generated Certificate''\n" +
+    "#nsCertType               = client, email, objsign for ''everything including object signing''\n" +
+    "#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem\n" +
+    "#nsBaseUrl                =\n" +
+    "#nsRenewalUrl             =\n" +
+    "#nsCaPolicyUrl            =\n" +
+    "#nsSslServerName          =\n" +
+    "keyUsage                  = critical, digitalSignature, nonRepudiation," +
+    " keyEncipherment, dataEncipherment, keyAgreement, keyCertSign\n" +
+    "extendedKeyUsage          = critical,serverAuth ,clientAuth\n" +
+    "\n" +
+    "[ v3_req ]\n" +
+    "basicConstraints          = critical, CA:FALSE\n" +
+    "keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\n" +
+    "extendedKeyUsage          = critical,serverAuth ,clientAuth\n" +
+    "subjectAltName            = $ENV::ALTNAME\n" +
+    "nsComment                 = \"CA Generated by Node-OPCUA Certificate utility using openssl\"\n" +
+    "[ v3_ca ]\n" +
+    "subjectKeyIdentifier      = hash\n" +
+    "authorityKeyIdentifier    = keyid:always,issuer:always\n" +
+    "# authorityKeyIdentifier    = keyid\n" +
+    "basicConstraints          = CA:TRUE\n" +
+    "keyUsage                  = critical, cRLSign, keyCertSign\n" +
+    "nsComment                 = \"CA Certificate generated by Node-OPCUA Certificate utility using openssl\"\n" +
+    "#nsCertType                 = sslCA, emailCA\n" +
+    "#subjectAltName             = email:copy\n" +
+    "#issuerAltName              = issuer:copy\n" +
+    "#obj                        = DER:02:03\n" +
+    "crlDistributionPoints     = @crl_info\n" +
+    "[ crl_info ]\n" +
+    "URI.0                     = http://localhost:8900/crl.pem\n" +
+    "[ v3_selfsigned]\n" +
+    "basicConstraints          = critical, CA:FALSE\n" +
+    "keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement\n" +
+    "extendedKeyUsage          = critical,serverAuth ,clientAuth\n" +
+    "nsComment                 = \"Self-signed certificate, generated by NodeOPCUA\"\n" +
+    "subjectAltName            = $ENV::ALTNAME\n" +
+    "\n" +
+    "[ crl_ext ]\n" +
+    "#issuerAltName            = issuer:copy\n" +
+    "authorityKeyIdentifier    = keyid:always,issuer:always\n" +
+    "#authorityInfoAccess       = @issuer_info";
+
+export default config;