node-opcua-pki 6.10.2 → 6.11.0

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { SubjectOptions, CertificatePurpose, Subject, Certificate, DER, CertificateRevocationList } from 'node-opcua-crypto';
+import { SubjectOptions, CertificatePurpose, Subject, PrivateKey, Certificate, DER, CertificateRevocationList } from 'node-opcua-crypto';
 export { Subject, SubjectOptions } from 'node-opcua-crypto';
 import { EventEmitter } from 'node:events';
 
@@ -103,6 +103,42 @@ interface Params extends ProcessAltNamesParam, StartDateEndDateParam {
 declare function adjustDate(params: StartDateEndDateParam): void;
 declare function adjustApplicationUri(params: Params): void;
 
+/**
+ * Result of {@link CertificateAuthority.initializeCSR}.
+ *
+ * - `"ready"` — the CA certificate already exists and is valid.
+ * - `"pending"` — key + CSR exist but no cert; waiting for external signing.
+ * - `"created"` — a fresh key + CSR were just generated.
+ * - `"expired"` — the CA certificate has expired (or will expire within
+ *   the configured threshold). A new CSR has been generated for renewal
+ *   while preserving the existing private key.
+ */
+type InitializeCSRResult = {
+    status: "ready";
+} | {
+    status: "pending";
+    csrPath: string;
+} | {
+    status: "created";
+    csrPath: string;
+} | {
+    status: "expired";
+    csrPath: string;
+    expiryDate: Date;
+};
+/**
+ * Result of {@link CertificateAuthority.installCACertificate}.
+ *
+ * - `"success"` — the certificate was installed and CRL generated.
+ * - `"error"` — the certificate was rejected (see `reason`).
+ */
+type InstallCACertificateResult = {
+    status: "success";
+} | {
+    status: "error";
+    reason: string;
+    message: string;
+};
 /**
  * Options for creating a {@link CertificateAuthority}.
  */
@@ -119,6 +155,12 @@ interface CertificateAuthorityOptions {
      * @defaultValue {@link defaultSubject}
      */
     subject?: string | SubjectOptions;
+    /**
+     * Parent CA that will sign this CA's certificate.
+     * If omitted, the CA is self-signed (root CA).
+     * The parent CA must be initialized before this CA.
+     */
+    issuerCA?: CertificateAuthority;
 }
 /**
  * An OpenSSL-based Certificate Authority (CA) that can create,
@@ -167,6 +209,58 @@ interface IssuedCertificateRecord {
      */
     revocationDate?: string;
 }
+/**
+ * Options for {@link CertificateAuthority.signCertificateRequestFromDER}.
+ *
+ * All fields are optional. When provided, they override the
+ * corresponding values from the CSR.
+ */
+interface SignCertificateOptions {
+    /** Certificate validity in days (default: 365). */
+    validity?: number;
+    /** Override the certificate start date. */
+    startDate?: Date;
+    /** Override DNS SANs. */
+    dns?: string[];
+    /** Override IP SANs. */
+    ip?: string[];
+    /** Override the application URI SAN. */
+    applicationUri?: string;
+    /** Override the X.500 subject. */
+    subject?: SubjectOptions | string;
+}
+/**
+ * Options for {@link CertificateAuthority.generateKeyPairAndSignDER}.
+ */
+interface GenerateKeyPairAndSignOptions {
+    /** OPC UA application URI (required). */
+    applicationUri: string;
+    /** X.500 subject for the certificate (e.g. "CN=MyApp"). */
+    subject?: SubjectOptions | string;
+    /** DNS host names for the SAN extension. */
+    dns?: string[];
+    /** IP addresses for the SAN extension. */
+    ip?: string[];
+    /** Certificate validity in days (default: 365). */
+    validity?: number;
+    /** Certificate start date (default: now). */
+    startDate?: Date;
+    /** RSA key size in bits (default: 2048). */
+    keySize?: KeySize;
+}
+/**
+ * Options for {@link CertificateAuthority.generateKeyPairAndSignPFX}.
+ *
+ * Extends the DER options with an optional `passphrase` to protect
+ * the PFX bundle.
+ */
+interface GenerateKeyPairAndSignPFXOptions extends GenerateKeyPairAndSignOptions {
+    /**
+     * Passphrase to protect the PFX file.
+     * If omitted, the PFX is created without a password.
+     */
+    passphrase?: string;
+}
 declare class CertificateAuthority {
     /** RSA key size used when generating the CA private key. */
     readonly keySize: KeySize;
@@ -174,6 +268,8 @@ declare class CertificateAuthority {
     readonly location: string;
     /** X.500 subject of the CA certificate. */
     readonly subject: Subject;
+    /** @internal Parent CA (undefined for root CAs). */
+    readonly _issuerCA?: CertificateAuthority;
     constructor(options: CertificateAuthorityOptions);
     /** Absolute path to the CA root directory (alias for {@link location}). */
     get rootDir(): string;
@@ -181,6 +277,16 @@ declare class CertificateAuthority {
     get configFile(): string;
     /** Path to the CA certificate in PEM format (`public/cacert.pem`). */
     get caCertificate(): string;
+    /**
+     * Path to the issuer certificate chain (`public/issuer_chain.pem`).
+     *
+     * This file is created by {@link installCACertificate} when the
+     * provided cert file contains additional issuer certificates
+     * (e.g. intermediate + root). It is appended to signed certs
+     * by {@link constructCertificateChain} to produce a full chain
+     * per OPC UA Part 6 §6.2.6.
+     */
+    get issuerCertificateChain(): string;
     /**
      * Path to the current Certificate Revocation List in DER format.
      * (`crl/revocation_list.der`)
@@ -284,15 +390,46 @@ declare class CertificateAuthority {
      * internally so that callers can work with in-memory
      * buffers only.
      *
+     * The CA can override fields from the CSR by passing
+     * `options.dns`, `options.ip`, `options.applicationUri`,
+     * `options.startDate`, or `options.subject`.
+     *
      * @param csrDer - the CSR as a DER-encoded buffer
-     * @param options - signing options
-     * @param options.validity - certificate validity in days
-     *   (default: 365)
+     * @param options - signing options and CA overrides
      * @returns the signed certificate as a DER-encoded buffer
      */
-    signCertificateRequestFromDER(csrDer: Buffer, options?: {
-        validity?: number;
-    }): Promise<Buffer>;
+    signCertificateRequestFromDER(csrDer: Buffer, options?: SignCertificateOptions): Promise<Buffer>;
+    /**
+     * Generate a new RSA key pair, create an internal CSR, sign it
+     * with this CA, and return both the certificate and private key
+     * as DER-encoded buffers.
+     *
+     * The private key is **never stored** by the CA — it exists only
+     * in a temporary directory that is cleaned up after the operation.
+     *
+     * This is used by `StartNewKeyPairRequest` (OPC UA Part 12) for
+     * constrained devices that cannot generate their own keys.
+     *
+     * @param options - key generation and certificate parameters
+     * @returns `{ certificateDer, privateKey }` — certificate as DER,
+     *   private key as a branded `PrivateKey` buffer
+     */
+    generateKeyPairAndSignDER(options: GenerateKeyPairAndSignOptions): Promise<{
+        certificateDer: Buffer;
+        privateKey: PrivateKey;
+    }>;
+    /**
+     * Generate a new RSA key pair, create an internal CSR, sign it
+     * with this CA, and return the result as a PKCS#12 (PFX)
+     * buffer bundling the certificate, private key, and CA chain.
+     *
+     * The private key is **never stored** by the CA — it exists only
+     * in a temporary directory that is cleaned up after the operation.
+     *
+     * @param options - key generation, certificate, and PFX options
+     * @returns the PFX as a `Buffer`
+     */
+    generateKeyPairAndSignPFX(options: GenerateKeyPairAndSignPFXOptions): Promise<Buffer>;
     /**
      * Revoke a DER-encoded certificate and regenerate the CRL.
      *
@@ -312,6 +449,78 @@ declare class CertificateAuthority {
      * already exist.
      */
     initialize(): Promise<void>;
+    /**
+     * Initialize the CA directory structure and generate the
+     * private key + CSR **without signing**.
+     *
+     * Use this when the CA certificate will be signed by an
+     * external (third-party) root CA.  After receiving the signed
+     * certificate, call {@link installCACertificate} to complete
+     * the setup.
+     *
+     * **Idempotent / restart-safe:**
+     * - If the CA certificate exists and is valid → `{ status: "ready" }`
+     * - If the CA certificate has expired → `{ status: "expired", csrPath, expiryDate }`
+     *   (a new CSR is generated, preserving the existing private key)
+     * - If key + CSR exist but no cert (restart before install) →
+     *   `{ status: "pending", csrPath }` without regenerating
+     * - Otherwise → generates key + CSR → `{ status: "created", csrPath }`
+     *
+     * @returns an {@link InitializeCSRResult} describing the CA state
+     */
+    initializeCSR(): Promise<InitializeCSRResult>;
+    /**
+     * Check whether the CA certificate needs renewal and, if so,
+     * generate a new CSR for re-signing by the external root CA.
+     *
+     * Use this while the CA is running to detect upcoming expiry
+     * **before** it actually expires. The existing private key is
+     * preserved so previously issued certs remain valid.
+     *
+     * @param thresholdDays - number of days before expiry at which
+     *   to trigger renewal (default: 30)
+     * @returns an {@link InitializeCSRResult} — `"expired"` if
+     *   renewal is needed, `"ready"` if the cert is still valid
+     */
+    renewCSR(thresholdDays?: number): Promise<InitializeCSRResult>;
+    /**
+     * Generate a CSR using the existing private key.
+     * @internal
+     */
+    private _generateCSR;
+    /**
+     * Install an externally-signed CA certificate and generate
+     * the initial CRL.
+     *
+     * Call this after {@link initializeCSR} once the external
+     * root CA has signed the CSR.
+     *
+     * **Safety checks:**
+     * - Verifies that the certificate's public key matches the
+     *   CA private key before installing.
+     *
+     * @param signedCertFile - path to the PEM-encoded signed
+     *   CA certificate (issued by the external root CA)
+     * @returns an {@link InstallCACertificateResult} with
+     *   `status: "success"` or `status: "error"` and a `reason`
+     */
+    installCACertificate(signedCertFile: string): Promise<InstallCACertificateResult>;
+    /**
+     * Sign a CSR with CA extensions (`v3_ca`), producing a
+     * subordinate CA certificate.
+     *
+     * Unlike {@link signCertificateRequest} which signs with
+     * end-entity extensions (SANs, etc.), this method signs
+     * with `basicConstraints = CA:TRUE` and `keyUsage =
+     * keyCertSign, cRLSign`.
+     *
+     * @param certFile - output path for the signed CA cert (PEM)
+     * @param csrFile - path to the subordinate CA's CSR
+     * @param params - signing parameters
+     */
+    signCACertificateRequest(certFile: string, csrFile: string, params: {
+        validity?: number;
+    }): Promise<void>;
     /**
      * Rebuild the combined CA certificate + CRL file.
      *
@@ -1014,4 +1223,4 @@ declare function dumpPFX(pfxFile: Filename, passphrase?: string): Promise<string
  */
 declare function install_prerequisite(): Promise<string>;
 
-export { CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, quote };
+export { CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type GenerateKeyPairAndSignOptions, type GenerateKeyPairAndSignPFXOptions, type InitializeCSRResult, type InstallCACertificateResult, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type SignCertificateOptions, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, quote };

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import { SubjectOptions, CertificatePurpose, Subject, Certificate, DER, CertificateRevocationList } from 'node-opcua-crypto';
+import { SubjectOptions, CertificatePurpose, Subject, PrivateKey, Certificate, DER, CertificateRevocationList } from 'node-opcua-crypto';
 export { Subject, SubjectOptions } from 'node-opcua-crypto';
 import { EventEmitter } from 'node:events';
 
@@ -103,6 +103,42 @@ interface Params extends ProcessAltNamesParam, StartDateEndDateParam {
 declare function adjustDate(params: StartDateEndDateParam): void;
 declare function adjustApplicationUri(params: Params): void;
 
+/**
+ * Result of {@link CertificateAuthority.initializeCSR}.
+ *
+ * - `"ready"` — the CA certificate already exists and is valid.
+ * - `"pending"` — key + CSR exist but no cert; waiting for external signing.
+ * - `"created"` — a fresh key + CSR were just generated.
+ * - `"expired"` — the CA certificate has expired (or will expire within
+ *   the configured threshold). A new CSR has been generated for renewal
+ *   while preserving the existing private key.
+ */
+type InitializeCSRResult = {
+    status: "ready";
+} | {
+    status: "pending";
+    csrPath: string;
+} | {
+    status: "created";
+    csrPath: string;
+} | {
+    status: "expired";
+    csrPath: string;
+    expiryDate: Date;
+};
+/**
+ * Result of {@link CertificateAuthority.installCACertificate}.
+ *
+ * - `"success"` — the certificate was installed and CRL generated.
+ * - `"error"` — the certificate was rejected (see `reason`).
+ */
+type InstallCACertificateResult = {
+    status: "success";
+} | {
+    status: "error";
+    reason: string;
+    message: string;
+};
 /**
  * Options for creating a {@link CertificateAuthority}.
  */
@@ -119,6 +155,12 @@ interface CertificateAuthorityOptions {
      * @defaultValue {@link defaultSubject}
      */
     subject?: string | SubjectOptions;
+    /**
+     * Parent CA that will sign this CA's certificate.
+     * If omitted, the CA is self-signed (root CA).
+     * The parent CA must be initialized before this CA.
+     */
+    issuerCA?: CertificateAuthority;
 }
 /**
  * An OpenSSL-based Certificate Authority (CA) that can create,
@@ -167,6 +209,58 @@ interface IssuedCertificateRecord {
      */
     revocationDate?: string;
 }
+/**
+ * Options for {@link CertificateAuthority.signCertificateRequestFromDER}.
+ *
+ * All fields are optional. When provided, they override the
+ * corresponding values from the CSR.
+ */
+interface SignCertificateOptions {
+    /** Certificate validity in days (default: 365). */
+    validity?: number;
+    /** Override the certificate start date. */
+    startDate?: Date;
+    /** Override DNS SANs. */
+    dns?: string[];
+    /** Override IP SANs. */
+    ip?: string[];
+    /** Override the application URI SAN. */
+    applicationUri?: string;
+    /** Override the X.500 subject. */
+    subject?: SubjectOptions | string;
+}
+/**
+ * Options for {@link CertificateAuthority.generateKeyPairAndSignDER}.
+ */
+interface GenerateKeyPairAndSignOptions {
+    /** OPC UA application URI (required). */
+    applicationUri: string;
+    /** X.500 subject for the certificate (e.g. "CN=MyApp"). */
+    subject?: SubjectOptions | string;
+    /** DNS host names for the SAN extension. */
+    dns?: string[];
+    /** IP addresses for the SAN extension. */
+    ip?: string[];
+    /** Certificate validity in days (default: 365). */
+    validity?: number;
+    /** Certificate start date (default: now). */
+    startDate?: Date;
+    /** RSA key size in bits (default: 2048). */
+    keySize?: KeySize;
+}
+/**
+ * Options for {@link CertificateAuthority.generateKeyPairAndSignPFX}.
+ *
+ * Extends the DER options with an optional `passphrase` to protect
+ * the PFX bundle.
+ */
+interface GenerateKeyPairAndSignPFXOptions extends GenerateKeyPairAndSignOptions {
+    /**
+     * Passphrase to protect the PFX file.
+     * If omitted, the PFX is created without a password.
+     */
+    passphrase?: string;
+}
 declare class CertificateAuthority {
     /** RSA key size used when generating the CA private key. */
     readonly keySize: KeySize;
@@ -174,6 +268,8 @@ declare class CertificateAuthority {
     readonly location: string;
     /** X.500 subject of the CA certificate. */
     readonly subject: Subject;
+    /** @internal Parent CA (undefined for root CAs). */
+    readonly _issuerCA?: CertificateAuthority;
     constructor(options: CertificateAuthorityOptions);
     /** Absolute path to the CA root directory (alias for {@link location}). */
     get rootDir(): string;
@@ -181,6 +277,16 @@ declare class CertificateAuthority {
     get configFile(): string;
     /** Path to the CA certificate in PEM format (`public/cacert.pem`). */
     get caCertificate(): string;
+    /**
+     * Path to the issuer certificate chain (`public/issuer_chain.pem`).
+     *
+     * This file is created by {@link installCACertificate} when the
+     * provided cert file contains additional issuer certificates
+     * (e.g. intermediate + root). It is appended to signed certs
+     * by {@link constructCertificateChain} to produce a full chain
+     * per OPC UA Part 6 §6.2.6.
+     */
+    get issuerCertificateChain(): string;
     /**
      * Path to the current Certificate Revocation List in DER format.
      * (`crl/revocation_list.der`)
@@ -284,15 +390,46 @@ declare class CertificateAuthority {
      * internally so that callers can work with in-memory
      * buffers only.
      *
+     * The CA can override fields from the CSR by passing
+     * `options.dns`, `options.ip`, `options.applicationUri`,
+     * `options.startDate`, or `options.subject`.
+     *
      * @param csrDer - the CSR as a DER-encoded buffer
-     * @param options - signing options
-     * @param options.validity - certificate validity in days
-     *   (default: 365)
+     * @param options - signing options and CA overrides
      * @returns the signed certificate as a DER-encoded buffer
      */
-    signCertificateRequestFromDER(csrDer: Buffer, options?: {
-        validity?: number;
-    }): Promise<Buffer>;
+    signCertificateRequestFromDER(csrDer: Buffer, options?: SignCertificateOptions): Promise<Buffer>;
+    /**
+     * Generate a new RSA key pair, create an internal CSR, sign it
+     * with this CA, and return both the certificate and private key
+     * as DER-encoded buffers.
+     *
+     * The private key is **never stored** by the CA — it exists only
+     * in a temporary directory that is cleaned up after the operation.
+     *
+     * This is used by `StartNewKeyPairRequest` (OPC UA Part 12) for
+     * constrained devices that cannot generate their own keys.
+     *
+     * @param options - key generation and certificate parameters
+     * @returns `{ certificateDer, privateKey }` — certificate as DER,
+     *   private key as a branded `PrivateKey` buffer
+     */
+    generateKeyPairAndSignDER(options: GenerateKeyPairAndSignOptions): Promise<{
+        certificateDer: Buffer;
+        privateKey: PrivateKey;
+    }>;
+    /**
+     * Generate a new RSA key pair, create an internal CSR, sign it
+     * with this CA, and return the result as a PKCS#12 (PFX)
+     * buffer bundling the certificate, private key, and CA chain.
+     *
+     * The private key is **never stored** by the CA — it exists only
+     * in a temporary directory that is cleaned up after the operation.
+     *
+     * @param options - key generation, certificate, and PFX options
+     * @returns the PFX as a `Buffer`
+     */
+    generateKeyPairAndSignPFX(options: GenerateKeyPairAndSignPFXOptions): Promise<Buffer>;
     /**
      * Revoke a DER-encoded certificate and regenerate the CRL.
      *
@@ -312,6 +449,78 @@ declare class CertificateAuthority {
      * already exist.
      */
     initialize(): Promise<void>;
+    /**
+     * Initialize the CA directory structure and generate the
+     * private key + CSR **without signing**.
+     *
+     * Use this when the CA certificate will be signed by an
+     * external (third-party) root CA.  After receiving the signed
+     * certificate, call {@link installCACertificate} to complete
+     * the setup.
+     *
+     * **Idempotent / restart-safe:**
+     * - If the CA certificate exists and is valid → `{ status: "ready" }`
+     * - If the CA certificate has expired → `{ status: "expired", csrPath, expiryDate }`
+     *   (a new CSR is generated, preserving the existing private key)
+     * - If key + CSR exist but no cert (restart before install) →
+     *   `{ status: "pending", csrPath }` without regenerating
+     * - Otherwise → generates key + CSR → `{ status: "created", csrPath }`
+     *
+     * @returns an {@link InitializeCSRResult} describing the CA state
+     */
+    initializeCSR(): Promise<InitializeCSRResult>;
+    /**
+     * Check whether the CA certificate needs renewal and, if so,
+     * generate a new CSR for re-signing by the external root CA.
+     *
+     * Use this while the CA is running to detect upcoming expiry
+     * **before** it actually expires. The existing private key is
+     * preserved so previously issued certs remain valid.
+     *
+     * @param thresholdDays - number of days before expiry at which
+     *   to trigger renewal (default: 30)
+     * @returns an {@link InitializeCSRResult} — `"expired"` if
+     *   renewal is needed, `"ready"` if the cert is still valid
+     */
+    renewCSR(thresholdDays?: number): Promise<InitializeCSRResult>;
+    /**
+     * Generate a CSR using the existing private key.
+     * @internal
+     */
+    private _generateCSR;
+    /**
+     * Install an externally-signed CA certificate and generate
+     * the initial CRL.
+     *
+     * Call this after {@link initializeCSR} once the external
+     * root CA has signed the CSR.
+     *
+     * **Safety checks:**
+     * - Verifies that the certificate's public key matches the
+     *   CA private key before installing.
+     *
+     * @param signedCertFile - path to the PEM-encoded signed
+     *   CA certificate (issued by the external root CA)
+     * @returns an {@link InstallCACertificateResult} with
+     *   `status: "success"` or `status: "error"` and a `reason`
+     */
+    installCACertificate(signedCertFile: string): Promise<InstallCACertificateResult>;
+    /**
+     * Sign a CSR with CA extensions (`v3_ca`), producing a
+     * subordinate CA certificate.
+     *
+     * Unlike {@link signCertificateRequest} which signs with
+     * end-entity extensions (SANs, etc.), this method signs
+     * with `basicConstraints = CA:TRUE` and `keyUsage =
+     * keyCertSign, cRLSign`.
+     *
+     * @param certFile - output path for the signed CA cert (PEM)
+     * @param csrFile - path to the subordinate CA's CSR
+     * @param params - signing parameters
+     */
+    signCACertificateRequest(certFile: string, csrFile: string, params: {
+        validity?: number;
+    }): Promise<void>;
     /**
      * Rebuild the combined CA certificate + CRL file.
      *
@@ -1014,4 +1223,4 @@ declare function dumpPFX(pfxFile: Filename, passphrase?: string): Promise<string
  */
 declare function install_prerequisite(): Promise<string>;
 
-export { CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, quote };
+export { CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type GenerateKeyPairAndSignOptions, type GenerateKeyPairAndSignPFXOptions, type InitializeCSRResult, type InstallCACertificateResult, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type SignCertificateOptions, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, quote };