node-opcua-pki 6.10.2 → 6.11.0

package/dist/index.mjs

@@ -1,20 +1,27 @@
 // packages/node-opcua-pki/lib/ca/certificate_authority.ts
-import assert6 from "assert";
-import fs6 from "fs";
+import assert7 from "assert";
+import fs7 from "fs";
 import os3 from "os";
 import path5 from "path";
 import chalk5 from "chalk";
 import {
+  CertificatePurpose,
+  certificateMatchesPrivateKey,
   convertPEMtoDER,
   exploreCertificate,
   exploreCertificateSigningRequest,
   generatePrivateKeyFile,
   readCertificatePEM,
   readCertificateSigningRequest,
+  readPrivateKey,
   Subject as Subject2,
   toPem
 } from "node-opcua-crypto";
 
+// packages/node-opcua-pki/lib/pki/toolbox_pfx.ts
+import assert4 from "assert";
+import fs4 from "fs";
+
 // packages/node-opcua-pki/lib/toolbox/common.ts
 import assert from "assert";
 function quote(str) {
@@ -91,30 +98,13 @@ function makePath(folderName, filename) {
   return s;
 }
 
-// packages/node-opcua-pki/lib/toolbox/display.ts
-import chalk2 from "chalk";
-function displayTitle(str) {
-  if (!g_config.silent) {
-    warningLog("");
-    warningLog(chalk2.yellowBright(str));
-    warningLog(chalk2.yellow(new Array(str.length + 1).join("=")), "\n");
-  }
-}
-function displaySubtitle(str) {
-  if (!g_config.silent) {
-    warningLog("");
-    warningLog(`    ${chalk2.yellowBright(str)}`);
-    warningLog(`    ${chalk2.white(new Array(str.length + 1).join("-"))}`, "\n");
-  }
-}
-function display(str) {
-  if (!g_config.silent) {
-    warningLog(`       ${str}`);
-  }
-}
-
-// packages/node-opcua-pki/lib/toolbox/with_openssl/index.ts
-import exp from "constants";
+// packages/node-opcua-pki/lib/toolbox/with_openssl/execute_openssl.ts
+import assert3 from "assert";
+import child_process2 from "child_process";
+import fs3 from "fs";
+import os2 from "os";
+import byline2 from "byline";
+import chalk3 from "chalk";
 
 // packages/node-opcua-pki/lib/toolbox/with_openssl/_env.ts
 var exportedEnvVars = {};
@@ -155,22 +145,6 @@ function processAltNames(params) {
   setEnv("ALTNAME", subjectAltNameString);
 }
 
-// packages/node-opcua-pki/lib/toolbox/with_openssl/create_certificate_signing_request.ts
-import assert5 from "assert";
-import fs5 from "fs";
-import path4 from "path";
-
-// packages/node-opcua-pki/lib/misc/subject.ts
-import { Subject } from "node-opcua-crypto";
-
-// packages/node-opcua-pki/lib/toolbox/with_openssl/execute_openssl.ts
-import assert3 from "assert";
-import child_process2 from "child_process";
-import fs3 from "fs";
-import os2 from "os";
-import byline2 from "byline";
-import chalk4 from "chalk";
-
 // packages/node-opcua-pki/lib/toolbox/with_openssl/install_prerequisite.ts
 import child_process from "child_process";
 import fs2 from "fs";
@@ -178,7 +152,7 @@ import os from "os";
 import path2 from "path";
 import url from "url";
 import byline from "byline";
-import chalk3 from "chalk";
+import chalk2 from "chalk";
 import ProgressBar from "progress";
 import wget from "wget-improved-2";
 import yauzl from "yauzl";
@@ -196,7 +170,7 @@ function makeOptions() {
         proxyAuth: auth
       }
     };
-    warningLog(chalk3.green("- using proxy "), proxy);
+    warningLog(chalk2.green("- using proxy "), proxy);
     warningLog(options);
     return options;
   }
@@ -225,7 +199,7 @@ async function execute(cmd, cwd) {
       output += `${line}
 `;
       if (doDebug2) {
-        process.stdout.write(`        stdout ${chalk3.yellow(line)}
+        process.stdout.write(`        stdout ${chalk2.yellow(line)}
 `);
       }
     });
@@ -248,8 +222,8 @@ async function getopensslExecPath() {
   const exitCode = result1?.exitCode;
   const output = result1?.output;
   if (exitCode !== 0) {
-    warningLog(chalk3.yellow(" it seems that ") + chalk3.cyan("openssl") + chalk3.yellow(" is not installed on your computer "));
-    warningLog(chalk3.yellow("Please install it before running this programs"));
+    warningLog(chalk2.yellow(" it seems that ") + chalk2.cyan("openssl") + chalk2.yellow(" is not installed on your computer "));
+    warningLog(chalk2.yellow("Please install it before running this programs"));
     throw new Error("Cannot find openssl");
   }
   const opensslExecPath = output.replace(/\n\r/g, "").trim();
@@ -259,7 +233,7 @@ async function check_system_openssl_version() {
   const opensslExecPath = await getopensslExecPath();
   const q_opensslExecPath = quote2(opensslExecPath);
   if (doDebug2) {
-    warningLog(`              OpenSSL found in : ${chalk3.yellow(opensslExecPath)}`);
+    warningLog(`              OpenSSL found in : ${chalk2.yellow(opensslExecPath)}`);
   }
   const result = await execute(`${q_opensslExecPath} version`);
   const exitCode = result?.exitCode;
@@ -267,9 +241,9 @@ async function check_system_openssl_version() {
   const version = output.trim();
   const versionOK = exitCode === 0 && is_expected_openssl_version(version);
   if (!versionOK) {
-    let message = chalk3.whiteBright("Warning !!!!!!!!!!!! ") + "\nyour version of openssl is " + version + ". It doesn't match the expected version";
+    let message = chalk2.whiteBright("Warning !!!!!!!!!!!! ") + "\nyour version of openssl is " + version + ". It doesn't match the expected version";
     if (process.platform === "darwin") {
-      message += chalk3.cyan("\nplease refer to :") + chalk3.yellow(" https://github.com/node-opcua/node-opcua/wiki/installing-node-opcua-or-node-red-on-MacOS");
+      message += chalk2.cyan("\nplease refer to :") + chalk2.yellow(" https://github.com/node-opcua/node-opcua/wiki/installing-node-opcua-or-node-red-on-MacOS");
     }
     console.log(message);
   }
@@ -295,7 +269,7 @@ async function install_and_check_win32_openssl_version() {
     const exists = fs2.existsSync(opensslExecPath2);
     if (!exists) {
       warningLog("checking presence of ", opensslExecPath2);
-      warningLog(chalk3.red(" cannot find file ") + opensslExecPath2);
+      warningLog(chalk2.red(" cannot find file ") + opensslExecPath2);
       return {
         opensslOk: false,
         version: `cannot find file ${opensslExecPath2}`
@@ -329,12 +303,12 @@ async function install_and_check_win32_openssl_version() {
   async function download_openssl() {
     const url2 = win32or64() === 64 ? "https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-x64_86-win64.zip" : "https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-i386-win32.zip";
     const outputFilename = path2.join(downloadFolder, path2.basename(url2));
-    warningLog(`downloading ${chalk3.yellow(url2)} to ${outputFilename}`);
+    warningLog(`downloading ${chalk2.yellow(url2)} to ${outputFilename}`);
     if (fs2.existsSync(outputFilename)) {
       return { downloadedFile: outputFilename };
     }
     const options = makeOptions();
-    const bar = new ProgressBar(chalk3.cyan("[:bar]") + chalk3.cyan(" :percent ") + chalk3.white(":etas"), {
+    const bar = new ProgressBar(chalk2.cyan("[:bar]") + chalk2.cyan(" :percent ") + chalk2.white(":etas"), {
       complete: "=",
       incomplete: " ",
       total: 100,
@@ -416,21 +390,21 @@ async function install_and_check_win32_openssl_version() {
   }
   const { opensslOk, version: _version } = await check_openssl_win32();
   if (!opensslOk) {
-    warningLog(chalk3.yellow("openssl seems to be missing and need to be installed"));
+    warningLog(chalk2.yellow("openssl seems to be missing and need to be installed"));
     const { downloadedFile } = await download_openssl();
     if (doDebug2) {
-      warningLog("deflating ", chalk3.yellow(downloadedFile));
+      warningLog("deflating ", chalk2.yellow(downloadedFile));
     }
     await unzip_openssl(downloadedFile);
     const opensslExists = !!fs2.existsSync(opensslExecPath);
     if (doDebug2) {
-      warningLog("verifying ", opensslExists, opensslExists ? chalk3.green("OK ") : chalk3.red(" Error"), opensslExecPath);
+      warningLog("verifying ", opensslExists, opensslExists ? chalk2.green("OK ") : chalk2.red(" Error"), opensslExecPath);
     }
     const _opensslExecPath2 = await check_openssl_win32();
     return opensslExecPath;
   } else {
     if (doDebug2) {
-      warningLog(chalk3.green("openssl is already installed and have the expected version."));
+      warningLog(chalk2.green("openssl is already installed and have the expected version."));
     }
     return opensslExecPath;
   }
@@ -461,7 +435,7 @@ async function execute2(cmd, options) {
   const from = new Error();
   options.cwd = options.cwd || process.cwd();
   if (!g_config.silent) {
-    warningLog(chalk4.cyan("                  CWD         "), options.cwd);
+    warningLog(chalk3.cyan("                  CWD         "), options.cwd);
   }
   const outputs = [];
   return await new Promise((resolve, reject) => {
@@ -475,10 +449,10 @@ async function execute2(cmd, options) {
         if (err) {
           if (!options.hideErrorMessage) {
             const fence = "###########################################";
-            console.error(chalk4.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));
-            console.error(chalk4.bgWhiteBright.redBright(`CWD = ${options.cwd}`));
-            console.error(chalk4.bgWhiteBright.redBright(err.message));
-            console.error(chalk4.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));
+            console.error(chalk3.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));
+            console.error(chalk3.bgWhiteBright.redBright(`CWD = ${options.cwd}`));
+            console.error(chalk3.bgWhiteBright.redBright(err.message));
+            console.error(chalk3.bgWhiteBright.redBright(`${fence} OPENSSL ERROR ${fence}`));
             console.error(from.stack);
           }
           reject(new Error(err.message));
@@ -497,7 +471,7 @@ async function execute2(cmd, options) {
         stream2.on("data", (line) => {
           line = line.toString();
           if (doDebug) {
-            process.stdout.write(`${chalk4.white("        stdout ") + chalk4.whiteBright(line)}
+            process.stdout.write(`${chalk3.white("        stdout ") + chalk3.whiteBright(line)}
 `);
           }
         });
@@ -509,7 +483,7 @@ async function execute2(cmd, options) {
         stream1.on("data", (line) => {
           line = line.toString();
           if (displayError) {
-            process.stdout.write(`${chalk4.white("        stderr ") + chalk4.red(line)}
+            process.stdout.write(`${chalk3.white("        stderr ") + chalk3.red(line)}
 `);
           }
         });
@@ -553,17 +527,107 @@ async function execute_openssl(cmd, options) {
   assert3(options.openssl_conf);
   setEnv("OPENSSL_CONF", options.openssl_conf);
   if (!g_config.silent) {
-    warningLog(chalk4.cyan("                  OPENSSL_CONF"), process.env.OPENSSL_CONF);
-    warningLog(chalk4.cyan("                  RANDFILE    "), process.env.RANDFILE);
-    warningLog(chalk4.cyan("                  CMD         openssl "), chalk4.cyanBright(cmd));
+    warningLog(chalk3.cyan("                  OPENSSL_CONF"), process.env.OPENSSL_CONF);
+    warningLog(chalk3.cyan("                  RANDFILE    "), process.env.RANDFILE);
+    warningLog(chalk3.cyan("                  CMD         openssl "), chalk3.cyanBright(cmd));
   }
   await ensure_openssl_installed();
   return await execute2(`${quote(opensslPath)} ${cmd}`, options);
 }
 
+// packages/node-opcua-pki/lib/pki/toolbox_pfx.ts
+var q = quote;
+var n2 = makePath;
+async function createPFX(options) {
+  const { certificateFile, privateKeyFile, outputFile, passphrase = "", caCertificateFiles } = options;
+  assert4(fs4.existsSync(certificateFile), `Certificate file does not exist: ${certificateFile}`);
+  assert4(fs4.existsSync(privateKeyFile), `Private key file does not exist: ${privateKeyFile}`);
+  let cmd = `pkcs12 -export`;
+  cmd += ` -in ${q(n2(certificateFile))}`;
+  cmd += ` -inkey ${q(n2(privateKeyFile))}`;
+  if (caCertificateFiles) {
+    for (const caFile of caCertificateFiles) {
+      assert4(fs4.existsSync(caFile), `CA certificate file does not exist: ${caFile}`);
+      cmd += ` -certfile ${q(n2(caFile))}`;
+    }
+  }
+  cmd += ` -out ${q(n2(outputFile))}`;
+  cmd += ` -passout pass:${passphrase}`;
+  await execute_openssl(cmd, {});
+}
+async function extractCertificateFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  assert4(fs4.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q(n2(pfxFile))} -clcerts -nokeys -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractPrivateKeyFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  assert4(fs4.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q(n2(pfxFile))} -nocerts -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractCACertificatesFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  assert4(fs4.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q(n2(pfxFile))} -cacerts -nokeys -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractAllFromPFX(options) {
+  const [certificate, privateKey, caCertificates] = await Promise.all([
+    extractCertificateFromPFX(options),
+    extractPrivateKeyFromPFX(options),
+    extractCACertificatesFromPFX(options)
+  ]);
+  return { certificate, privateKey, caCertificates };
+}
+async function convertPFXtoPEM(pfxFile, pemFile, passphrase = "") {
+  assert4(fs4.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q(n2(pfxFile))} -out ${q(n2(pemFile))} -nodes -passin pass:${passphrase}`;
+  await execute_openssl(cmd, {});
+}
+async function dumpPFX(pfxFile, passphrase = "") {
+  assert4(fs4.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q(n2(pfxFile))} -info -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+
+// packages/node-opcua-pki/lib/toolbox/display.ts
+import chalk4 from "chalk";
+function displayTitle(str) {
+  if (!g_config.silent) {
+    warningLog("");
+    warningLog(chalk4.yellowBright(str));
+    warningLog(chalk4.yellow(new Array(str.length + 1).join("=")), "\n");
+  }
+}
+function displaySubtitle(str) {
+  if (!g_config.silent) {
+    warningLog("");
+    warningLog(`    ${chalk4.yellowBright(str)}`);
+    warningLog(`    ${chalk4.white(new Array(str.length + 1).join("-"))}`, "\n");
+  }
+}
+function display(str) {
+  if (!g_config.silent) {
+    warningLog(`       ${str}`);
+  }
+}
+
+// packages/node-opcua-pki/lib/toolbox/with_openssl/index.ts
+import exp from "constants";
+
+// packages/node-opcua-pki/lib/toolbox/with_openssl/create_certificate_signing_request.ts
+import assert6 from "assert";
+import fs6 from "fs";
+import path4 from "path";
+
+// packages/node-opcua-pki/lib/misc/subject.ts
+import { Subject } from "node-opcua-crypto";
+
 // packages/node-opcua-pki/lib/toolbox/with_openssl/toolbox.ts
-import assert4 from "assert";
-import fs4 from "fs";
+import assert5 from "assert";
+import fs5 from "fs";
 import path3 from "path";
 function openssl_require2DigitYearInDate() {
   if (!g_config.opensslVersion) {
@@ -578,13 +642,13 @@ var _counter = 0;
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
   const originalFilename = !path3.isAbsolute(configPath) ? path3.join(prePath, configPath) : configPath;
-  let staticConfig = fs4.readFileSync(originalFilename, { encoding: "utf8" });
+  let staticConfig = fs5.readFileSync(originalFilename, { encoding: "utf8" });
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
   const staticConfigPath = `${configPath}.${process.pid}-${_counter++}.tmp`;
   const temporaryConfigPath = !path3.isAbsolute(configPath) ? path3.join(prePath, staticConfigPath) : staticConfigPath;
-  fs4.writeFileSync(temporaryConfigPath, staticConfig);
+  fs5.writeFileSync(temporaryConfigPath, staticConfig);
   if (options?.cwd) {
     return path3.relative(options.cwd, temporaryConfigPath);
   } else {
@@ -609,8 +673,38 @@ function x509Date(date) {
   }
 }
 
+// packages/node-opcua-pki/lib/toolbox/with_openssl/create_certificate_signing_request.ts
+var q2 = quote;
+var n3 = makePath;
+async function createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFilename, params) {
+  assert6(params);
+  assert6(params.rootDir);
+  assert6(params.configFile);
+  assert6(params.privateKey);
+  assert6(typeof params.privateKey === "string");
+  assert6(fs6.existsSync(params.configFile), `config file must exist ${params.configFile}`);
+  assert6(fs6.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
+  assert6(fs6.existsSync(params.rootDir), "RootDir key must exist");
+  assert6(typeof certificateSigningRequestFilename === "string");
+  processAltNames(params);
+  const configFile = generateStaticConfig(params.configFile, { cwd: params.rootDir });
+  const options = { cwd: params.rootDir, openssl_conf: path4.relative(params.rootDir, configFile) };
+  const configOption = ` -config ${q2(n3(configFile))}`;
+  const subject = params.subject ? new Subject(params.subject).toString() : void 0;
+  const subjectOptions = subject ? ` -subj "${subject}"` : "";
+  displaySubtitle("- Creating a Certificate Signing Request with openssl");
+  await execute_openssl(
+    "req -new  -sha256  -batch  -text " + configOption + " -key " + q2(n3(params.privateKey)) + subjectOptions + " -out " + q2(n3(certificateSigningRequestFilename)),
+    options
+  );
+}
+
+// packages/node-opcua-pki/lib/pki/templates/simple_config_template.cnf.ts
+var config = '##################################################################################################\n## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\n################################################################################################################\n\ndistinguished_name       = req_distinguished_name\ndefault_md               = sha1\n\ndefault_md                = sha256                      # The default digest algorithm\n\n[ v3_ca ]\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier      = keyid:always,issuer:always\n\n# authorityKeyIdentifier    = keyid\nbasicConstraints            = CA:TRUE\nkeyUsage                    = critical, cRLSign, keyCertSign\nnsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"\n#nsCertType                 = sslCA, emailCA\n#subjectAltName             = email:copy\n#issuerAltName              = issuer:copy\n#obj                        = DER:02:03\n# crlDistributionPoints       = @crl_info\n# [ crl_info ]\n# URI.0                     = http://localhost:8900/crl.pem\nsubjectAltName              = $ENV::ALTNAME\n\n[ req ]\ndays                      = 390\nreq_extensions            = v3_req\nx509_extensions           = v3_ca\n\n[v3_req]\nbasicConstraints       = CA:false\nkeyUsage               = critical, cRLSign, keyCertSign\nsubjectAltName         = $ENV::ALTNAME\n\n[ v3_ca_signed]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "certificate generated by Node-OPCUA Certificate utility and signed by a CA"\nsubjectAltName            = $ENV::ALTNAME\n[ v3_selfsigned]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"\nsubjectAltName            = $ENV::ALTNAME\n[ req_distinguished_name ]\ncountryName             = Country Name (2 letter code)\ncountryName_default     = FR\ncountryName_min         = 2\ncountryName_max         = 2\n# stateOrProvinceName     = State or Province Name (full name)\n# stateOrProvinceName_default = Ile de France\n# localityName            = Locality Name (city, district)\n# localityName_default    = Paris\norganizationName          = Organization Name (company)\norganizationName_default  = NodeOPCUA\n# organizationalUnitName  = Organizational Unit Name (department, division)\n# organizationalUnitName_default = R&D\ncommonName                = Common Name (hostname, FQDN, IP, or your name)\ncommonName_max            = 256\ncommonName_default        = NodeOPCUA\n# emailAddress            = Email Address\n# emailAddress_max        = 40\n# emailAddress_default    = node-opcua (at) node-opcua (dot) com\nsubjectAltName            = $ENV::ALTNAME';
+var simple_config_template_cnf_default = config;
+
 // packages/node-opcua-pki/lib/ca/templates/ca_config_template.cnf.ts
-var config = `#.........DO NOT MODIFY BY HAND .........................
+var config2 = `#.........DO NOT MODIFY BY HAND .........................
 [ ca ]
 default_ca               = CA_default
 [ CA_default ]
@@ -739,22 +833,23 @@ subjectAltName            = $ENV::ALTNAME
 #issuerAltName            = issuer:copy
 authorityKeyIdentifier    = keyid:always,issuer:always
 #authorityInfoAccess       = @issuer_info`;
-var ca_config_template_cnf_default = config;
+var ca_config_template_cnf_default = config2;
 
 // packages/node-opcua-pki/lib/ca/certificate_authority.ts
 var defaultSubject = "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA";
 var configurationFileTemplate = ca_config_template_cnf_default;
-var config2 = {
+var configurationFileSimpleTemplate = simple_config_template_cnf_default;
+var config3 = {
   certificateDir: "INVALID",
   forceCA: false,
   pkiDir: "INVALID"
 };
-var n2 = makePath;
-var q = quote;
+var n4 = makePath;
+var q3 = quote;
 function octetStringToIpAddress(a) {
   return parseInt(a.substring(0, 2), 16).toString() + "." + parseInt(a.substring(2, 4), 16).toString() + "." + parseInt(a.substring(4, 6), 16).toString() + "." + parseInt(a.substring(6, 8), 16).toString();
 }
-assert6(octetStringToIpAddress("c07b9179") === "192.123.145.121");
+assert7(octetStringToIpAddress("c07b9179") === "192.123.145.121");
 async function construct_CertificateAuthority(certificateAuthority) {
   const subject = certificateAuthority.subject;
   const caRootDir = path5.resolve(certificateAuthority.rootDir);
@@ -769,49 +864,49 @@ async function construct_CertificateAuthority(certificateAuthority) {
   await make_folders();
   async function construct_default_files() {
     const serial = path5.join(caRootDir, "serial");
-    if (!fs6.existsSync(serial)) {
-      await fs6.promises.writeFile(serial, "1000");
+    if (!fs7.existsSync(serial)) {
+      await fs7.promises.writeFile(serial, "1000");
     }
     const crlNumber = path5.join(caRootDir, "crlnumber");
-    if (!fs6.existsSync(crlNumber)) {
-      await fs6.promises.writeFile(crlNumber, "1000");
+    if (!fs7.existsSync(crlNumber)) {
+      await fs7.promises.writeFile(crlNumber, "1000");
     }
     const indexFile = path5.join(caRootDir, "index.txt");
-    if (!fs6.existsSync(indexFile)) {
-      await fs6.promises.writeFile(indexFile, "");
+    if (!fs7.existsSync(indexFile)) {
+      await fs7.promises.writeFile(indexFile, "");
     }
   }
   await construct_default_files();
-  const caKeyExists = fs6.existsSync(path5.join(caRootDir, "private/cakey.pem"));
-  const caCertExists = fs6.existsSync(path5.join(caRootDir, "public/cacert.pem"));
-  if (caKeyExists && caCertExists && !config2.forceCA) {
+  const caKeyExists = fs7.existsSync(path5.join(caRootDir, "private/cakey.pem"));
+  const caCertExists = fs7.existsSync(path5.join(caRootDir, "public/cacert.pem"));
+  if (caKeyExists && caCertExists && !config3.forceCA) {
     debugLog("CA private key and certificate already exist ... skipping");
     return;
   }
   if (caKeyExists && !caCertExists) {
     debugLog("CA private key exists but cacert.pem is missing \u2014 rebuilding CA");
-    fs6.unlinkSync(path5.join(caRootDir, "private/cakey.pem"));
+    fs7.unlinkSync(path5.join(caRootDir, "private/cakey.pem"));
     const staleCsr = path5.join(caRootDir, "private/cakey.csr");
-    if (fs6.existsSync(staleCsr)) {
-      fs6.unlinkSync(staleCsr);
+    if (fs7.existsSync(staleCsr)) {
+      fs7.unlinkSync(staleCsr);
     }
   }
   displayTitle("Create Certificate Authority (CA)");
   const indexFileAttr = path5.join(caRootDir, "index.txt.attr");
-  if (!fs6.existsSync(indexFileAttr)) {
-    await fs6.promises.writeFile(indexFileAttr, "unique_subject = no");
+  if (!fs7.existsSync(indexFileAttr)) {
+    await fs7.promises.writeFile(indexFileAttr, "unique_subject = no");
   }
   const caConfigFile = certificateAuthority.configFile;
   if (1) {
     let data = configurationFileTemplate;
     data = makePath(data.replace(/%%ROOT_FOLDER%%/, caRootDir));
-    await fs6.promises.writeFile(caConfigFile, data);
+    await fs7.promises.writeFile(caConfigFile, data);
   }
   const subjectOpt = ` -subj "${subject.toString()}" `;
   processAltNames({});
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
-  const configOption = ` -config ${q(n2(configFile))}`;
+  const configOption = ` -config ${q3(n4(configFile))}`;
   const keySize = certificateAuthority.keySize;
   const privateKeyFilename = path5.join(caRootDir, "private/cakey.pem");
   const csrFilename = path5.join(caRootDir, "private/cakey.csr");
@@ -819,14 +914,26 @@ async function construct_CertificateAuthority(certificateAuthority) {
   await generatePrivateKeyFile(privateKeyFilename, keySize);
   displayTitle("Generate a certificate request for the CA key");
   await execute_openssl(
-    "req -new -sha256  -text  -extensions v3_ca_req" + configOption + " -key " + q(n2(privateKeyFilename)) + " -out " + q(n2(csrFilename)) + " " + subjectOpt,
-    options
-  );
-  displayTitle("Generate CA Certificate (self-signed)");
-  await execute_openssl(
-    " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q(n2(configFile)) + " -in private/cakey.csr  -signkey " + q(n2(privateKeyFilename)) + " -out public/cacert.pem",
+    "req -new -sha256  -text  -extensions v3_ca_req" + configOption + " -key " + q3(n4(privateKeyFilename)) + " -out " + q3(n4(csrFilename)) + " " + subjectOpt,
     options
   );
+  const issuerCA = certificateAuthority._issuerCA;
+  if (issuerCA) {
+    displayTitle("Generate CA Certificate (signed by issuer CA)");
+    const issuerCert = path5.resolve(issuerCA.caCertificate);
+    const issuerKey = path5.resolve(issuerCA.rootDir, "private/cakey.pem");
+    const issuerSerial = path5.resolve(issuerCA.rootDir, "serial");
+    await execute_openssl(
+      " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q3(n4(configFile)) + " -in private/cakey.csr  -CA " + q3(n4(issuerCert)) + " -CAkey " + q3(n4(issuerKey)) + " -CAserial " + q3(n4(issuerSerial)) + " -out public/cacert.pem",
+      options
+    );
+  } else {
+    displayTitle("Generate CA Certificate (self-signed)");
+    await execute_openssl(
+      " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q3(n4(configFile)) + " -in private/cakey.csr  -signkey " + q3(n4(privateKeyFilename)) + " -out public/cacert.pem",
+      options
+    );
+  }
   displaySubtitle("generate initial CRL (Certificate Revocation List)");
   await regenerateCrl(certificateAuthority.revocationList, configOption, options);
   displayTitle("Create Certificate Authority (CA) ---> DONE");
@@ -836,7 +943,7 @@ async function regenerateCrl(revocationList, configOption, options) {
   await execute_openssl(`ca -gencrl ${configOption} -out crl/revocation_list.crl`, options);
   await execute_openssl("crl  -in  crl/revocation_list.crl -out  crl/revocation_list.der  -outform der", options);
   displaySubtitle("Display (Certificate Revocation List)");
-  await execute_openssl(`crl  -in ${q(n2(revocationList))} -text  -noout`, options);
+  await execute_openssl(`crl  -in ${q3(n4(revocationList))} -text  -noout`, options);
 }
 function parseOpenSSLDate(dateStr) {
   const raw = dateStr?.split(",")[0] ?? "";
@@ -857,12 +964,15 @@ var CertificateAuthority = class {
   location;
   /** X.500 subject of the CA certificate. */
   subject;
+  /** @internal Parent CA (undefined for root CAs). */
+  _issuerCA;
   constructor(options) {
-    assert6(Object.prototype.hasOwnProperty.call(options, "location"));
-    assert6(Object.prototype.hasOwnProperty.call(options, "keySize"));
+    assert7(Object.prototype.hasOwnProperty.call(options, "location"));
+    assert7(Object.prototype.hasOwnProperty.call(options, "keySize"));
     this.location = options.location;
     this.keySize = options.keySize || 2048;
     this.subject = new Subject2(options.subject || defaultSubject);
+    this._issuerCA = options.issuerCA;
   }
   /** Absolute path to the CA root directory (alias for {@link location}). */
   get rootDir() {
@@ -876,6 +986,18 @@ var CertificateAuthority = class {
   get caCertificate() {
     return makePath(this.rootDir, "./public/cacert.pem");
   }
+  /**
+   * Path to the issuer certificate chain (`public/issuer_chain.pem`).
+   *
+   * This file is created by {@link installCACertificate} when the
+   * provided cert file contains additional issuer certificates
+   * (e.g. intermediate + root). It is appended to signed certs
+   * by {@link constructCertificateChain} to produce a full chain
+   * per OPC UA Part 6 §6.2.6.
+   */
+  get issuerCertificateChain() {
+    return makePath(this.rootDir, "./public/issuer_chain.pem");
+  }
   /**
    * Path to the current Certificate Revocation List in DER format.
    * (`crl/revocation_list.der`)
@@ -933,10 +1055,10 @@ var CertificateAuthority = class {
    */
   getCRLDER() {
     const crlPath = this.revocationListDER;
-    if (!fs6.existsSync(crlPath)) {
+    if (!fs7.existsSync(crlPath)) {
       return Buffer.alloc(0);
     }
-    return fs6.readFileSync(crlPath);
+    return fs7.readFileSync(crlPath);
   }
   /**
    * Return the current Certificate Revocation List as a
@@ -946,10 +1068,10 @@ var CertificateAuthority = class {
    */
   getCRLPEM() {
     const crlPath = this.revocationList;
-    if (!fs6.existsSync(crlPath)) {
+    if (!fs7.existsSync(crlPath)) {
       return "";
     }
-    const raw = fs6.readFileSync(crlPath, "utf-8");
+    const raw = fs7.readFileSync(crlPath, "utf-8");
     const beginMarker = "-----BEGIN X509 CRL-----";
     const idx = raw.indexOf(beginMarker);
     if (idx > 0) {
@@ -1002,7 +1124,7 @@ var CertificateAuthority = class {
   getCertificateBySerial(serial) {
     const upper = serial.toUpperCase();
     const certFile = path5.join(this.rootDir, "certs", `${upper}.pem`);
-    if (!fs6.existsSync(certFile)) {
+    if (!fs7.existsSync(certFile)) {
       return void 0;
     }
     const pem = readCertificatePEM(certFile);
@@ -1031,10 +1153,10 @@ var CertificateAuthority = class {
    */
   _parseIndexTxt() {
     const indexPath = this.indexFile;
-    if (!fs6.existsSync(indexPath)) {
+    if (!fs7.existsSync(indexPath)) {
       return [];
     }
-    const content = fs6.readFileSync(indexPath, "utf-8");
+    const content = fs7.readFileSync(indexPath, "utf-8");
     const lines = content.split("\n").filter((l) => l.trim().length > 0);
     const records = [];
     for (const line of lines) {
@@ -1088,25 +1210,145 @@ var CertificateAuthority = class {
    * internally so that callers can work with in-memory
    * buffers only.
    *
+   * The CA can override fields from the CSR by passing
+   * `options.dns`, `options.ip`, `options.applicationUri`,
+   * `options.startDate`, or `options.subject`.
+   *
    * @param csrDer - the CSR as a DER-encoded buffer
-   * @param options - signing options
-   * @param options.validity - certificate validity in days
-   *   (default: 365)
+   * @param options - signing options and CA overrides
    * @returns the signed certificate as a DER-encoded buffer
    */
   async signCertificateRequestFromDER(csrDer, options) {
     const validity = options?.validity ?? 365;
-    const tmpDir = await fs6.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-sign-"));
+    const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-sign-"));
     try {
       const csrFile = path5.join(tmpDir, "request.csr");
       const certFile = path5.join(tmpDir, "certificate.pem");
       const csrPem = toPem(csrDer, "CERTIFICATE REQUEST");
-      await fs6.promises.writeFile(csrFile, csrPem, "utf-8");
-      await this.signCertificateRequest(certFile, csrFile, { validity });
+      await fs7.promises.writeFile(csrFile, csrPem, "utf-8");
+      const signingParams = { validity };
+      if (options?.startDate) signingParams.startDate = options.startDate;
+      if (options?.dns) signingParams.dns = options.dns;
+      if (options?.ip) signingParams.ip = options.ip;
+      if (options?.applicationUri) signingParams.applicationUri = options.applicationUri;
+      if (options?.subject) signingParams.subject = options.subject;
+      await this.signCertificateRequest(certFile, csrFile, signingParams);
       const certPem = readCertificatePEM(certFile);
       return convertPEMtoDER(certPem);
     } finally {
-      await fs6.promises.rm(tmpDir, {
+      await fs7.promises.rm(tmpDir, {
+        recursive: true,
+        force: true
+      });
+    }
+  }
+  /**
+   * Generate a new RSA key pair, create an internal CSR, sign it
+   * with this CA, and return both the certificate and private key
+   * as DER-encoded buffers.
+   *
+   * The private key is **never stored** by the CA — it exists only
+   * in a temporary directory that is cleaned up after the operation.
+   *
+   * This is used by `StartNewKeyPairRequest` (OPC UA Part 12) for
+   * constrained devices that cannot generate their own keys.
+   *
+   * @param options - key generation and certificate parameters
+   * @returns `{ certificateDer, privateKey }` — certificate as DER,
+   *   private key as a branded `PrivateKey` buffer
+   */
+  async generateKeyPairAndSignDER(options) {
+    const keySize = options.keySize ?? 2048;
+    const validity = options.validity ?? 365;
+    const startDate = options.startDate ?? /* @__PURE__ */ new Date();
+    const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-keygen-"));
+    try {
+      const privateKeyFile = path5.join(tmpDir, "private_key.pem");
+      await generatePrivateKeyFile(privateKeyFile, keySize);
+      const configFile = path5.join(tmpDir, "openssl.cnf");
+      await fs7.promises.writeFile(configFile, configurationFileSimpleTemplate, "utf-8");
+      const csrFile = path5.join(tmpDir, "request.csr");
+      await createCertificateSigningRequestWithOpenSSL(csrFile, {
+        rootDir: tmpDir,
+        configFile,
+        privateKey: privateKeyFile,
+        applicationUri: options.applicationUri,
+        subject: options.subject,
+        dns: options.dns ?? [],
+        ip: options.ip ?? [],
+        purpose: CertificatePurpose.ForApplication
+      });
+      const certFile = path5.join(tmpDir, "certificate.pem");
+      await this.signCertificateRequest(certFile, csrFile, {
+        applicationUri: options.applicationUri,
+        dns: options.dns,
+        ip: options.ip,
+        startDate,
+        validity
+      });
+      const certPem = readCertificatePEM(certFile);
+      const certificateDer = convertPEMtoDER(certPem);
+      const privateKey = readPrivateKey(privateKeyFile);
+      return { certificateDer, privateKey };
+    } finally {
+      await fs7.promises.rm(tmpDir, {
+        recursive: true,
+        force: true
+      });
+    }
+  }
+  /**
+   * Generate a new RSA key pair, create an internal CSR, sign it
+   * with this CA, and return the result as a PKCS#12 (PFX)
+   * buffer bundling the certificate, private key, and CA chain.
+   *
+   * The private key is **never stored** by the CA — it exists only
+   * in a temporary directory that is cleaned up after the operation.
+   *
+   * @param options - key generation, certificate, and PFX options
+   * @returns the PFX as a `Buffer`
+   */
+  async generateKeyPairAndSignPFX(options) {
+    const keySize = options.keySize ?? 2048;
+    const validity = options.validity ?? 365;
+    const startDate = options.startDate ?? /* @__PURE__ */ new Date();
+    const passphrase = options.passphrase ?? "";
+    const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-keygen-pfx-"));
+    try {
+      const privateKeyFile = path5.join(tmpDir, "private_key.pem");
+      await generatePrivateKeyFile(privateKeyFile, keySize);
+      const configFile = path5.join(tmpDir, "openssl.cnf");
+      await fs7.promises.writeFile(configFile, configurationFileSimpleTemplate, "utf-8");
+      const csrFile = path5.join(tmpDir, "request.csr");
+      await createCertificateSigningRequestWithOpenSSL(csrFile, {
+        rootDir: tmpDir,
+        configFile,
+        privateKey: privateKeyFile,
+        applicationUri: options.applicationUri,
+        subject: options.subject,
+        dns: options.dns ?? [],
+        ip: options.ip ?? [],
+        purpose: CertificatePurpose.ForApplication
+      });
+      const certFile = path5.join(tmpDir, "certificate.pem");
+      await this.signCertificateRequest(certFile, csrFile, {
+        applicationUri: options.applicationUri,
+        dns: options.dns,
+        ip: options.ip,
+        startDate,
+        validity
+      });
+      const pfxFile = path5.join(tmpDir, "bundle.pfx");
+      await createPFX({
+        certificateFile: certFile,
+        privateKeyFile,
+        outputFile: pfxFile,
+        passphrase,
+        caCertificateFiles: [this.caCertificate]
+      });
+      return await fs7.promises.readFile(pfxFile);
+    } finally {
+      await fs7.promises.rm(tmpDir, {
         recursive: true,
         force: true
       });
@@ -1128,7 +1370,7 @@ var CertificateAuthority = class {
     const info = exploreCertificate(certDer);
     const serial = info.tbsCertificate.serialNumber.replace(/:/g, "").toUpperCase();
     const storedCertFile = path5.join(this.rootDir, "certs", `${serial}.pem`);
-    if (!fs6.existsSync(storedCertFile)) {
+    if (!fs7.existsSync(storedCertFile)) {
       throw new Error(`Cannot revoke: no stored certificate found for serial ${serial} at ${storedCertFile}`);
     }
     await this.revokeCertificate(storedCertFile, {
@@ -1143,6 +1385,204 @@ var CertificateAuthority = class {
   async initialize() {
     await construct_CertificateAuthority(this);
   }
+  /**
+   * Initialize the CA directory structure and generate the
+   * private key + CSR **without signing**.
+   *
+   * Use this when the CA certificate will be signed by an
+   * external (third-party) root CA.  After receiving the signed
+   * certificate, call {@link installCACertificate} to complete
+   * the setup.
+   *
+   * **Idempotent / restart-safe:**
+   * - If the CA certificate exists and is valid → `{ status: "ready" }`
+   * - If the CA certificate has expired → `{ status: "expired", csrPath, expiryDate }`
+   *   (a new CSR is generated, preserving the existing private key)
+   * - If key + CSR exist but no cert (restart before install) →
+   *   `{ status: "pending", csrPath }` without regenerating
+   * - Otherwise → generates key + CSR → `{ status: "created", csrPath }`
+   *
+   * @returns an {@link InitializeCSRResult} describing the CA state
+   */
+  async initializeCSR() {
+    const caRootDir = path5.resolve(this.rootDir);
+    mkdirRecursiveSync(caRootDir);
+    for (const dir of ["private", "public", "certs", "crl", "conf"]) {
+      mkdirRecursiveSync(path5.join(caRootDir, dir));
+    }
+    const caCertFile = this.caCertificate;
+    const privateKeyFile = path5.join(caRootDir, "private/cakey.pem");
+    const csrFile = path5.join(caRootDir, "private/cakey.csr");
+    if (fs7.existsSync(caCertFile)) {
+      const certDer = convertPEMtoDER(readCertificatePEM(caCertFile));
+      const certInfo = exploreCertificate(certDer);
+      const notAfter = certInfo.tbsCertificate.validity.notAfter;
+      if (notAfter.getTime() < Date.now()) {
+        debugLog("CA certificate has expired \u2014 generating renewal CSR");
+        await this._generateCSR(caRootDir, privateKeyFile, csrFile);
+        return { status: "expired", csrPath: csrFile, expiryDate: notAfter };
+      }
+      debugLog("CA certificate already exists and is valid \u2014 ready");
+      return { status: "ready" };
+    }
+    if (fs7.existsSync(privateKeyFile) && fs7.existsSync(csrFile)) {
+      debugLog("CA key + CSR already exist \u2014 pending external signing");
+      return { status: "pending", csrPath: csrFile };
+    }
+    const serial = path5.join(caRootDir, "serial");
+    if (!fs7.existsSync(serial)) {
+      await fs7.promises.writeFile(serial, "1000");
+    }
+    const crlNumber = path5.join(caRootDir, "crlnumber");
+    if (!fs7.existsSync(crlNumber)) {
+      await fs7.promises.writeFile(crlNumber, "1000");
+    }
+    const indexFile = path5.join(caRootDir, "index.txt");
+    if (!fs7.existsSync(indexFile)) {
+      await fs7.promises.writeFile(indexFile, "");
+    }
+    const indexFileAttr = path5.join(caRootDir, "index.txt.attr");
+    if (!fs7.existsSync(indexFileAttr)) {
+      await fs7.promises.writeFile(indexFileAttr, "unique_subject = no");
+    }
+    const caConfigFile = this.configFile;
+    let data = configurationFileTemplate;
+    data = makePath(data.replace(/%%ROOT_FOLDER%%/, caRootDir));
+    await fs7.promises.writeFile(caConfigFile, data);
+    if (!fs7.existsSync(privateKeyFile)) {
+      await generatePrivateKeyFile(privateKeyFile, this.keySize);
+    }
+    await this._generateCSR(caRootDir, privateKeyFile, csrFile);
+    return { status: "created", csrPath: csrFile };
+  }
+  /**
+   * Check whether the CA certificate needs renewal and, if so,
+   * generate a new CSR for re-signing by the external root CA.
+   *
+   * Use this while the CA is running to detect upcoming expiry
+   * **before** it actually expires. The existing private key is
+   * preserved so previously issued certs remain valid.
+   *
+   * @param thresholdDays - number of days before expiry at which
+   *   to trigger renewal (default: 30)
+   * @returns an {@link InitializeCSRResult} — `"expired"` if
+   *   renewal is needed, `"ready"` if the cert is still valid
+   */
+  async renewCSR(thresholdDays = 30) {
+    const caRootDir = path5.resolve(this.rootDir);
+    const caCertFile = this.caCertificate;
+    const privateKeyFile = path5.join(caRootDir, "private/cakey.pem");
+    const csrFile = path5.join(caRootDir, "private/cakey.csr");
+    if (!fs7.existsSync(caCertFile)) {
+      return this.initializeCSR();
+    }
+    const certDer = convertPEMtoDER(readCertificatePEM(caCertFile));
+    const certInfo = exploreCertificate(certDer);
+    const notAfter = certInfo.tbsCertificate.validity.notAfter;
+    const thresholdMs = thresholdDays * 24 * 60 * 60 * 1e3;
+    if (notAfter.getTime() - Date.now() < thresholdMs) {
+      debugLog(`CA certificate expires within ${thresholdDays} days \u2014 generating renewal CSR`);
+      await this._generateCSR(caRootDir, privateKeyFile, csrFile);
+      return { status: "expired", csrPath: csrFile, expiryDate: notAfter };
+    }
+    return { status: "ready" };
+  }
+  /**
+   * Generate a CSR using the existing private key.
+   * @internal
+   */
+  async _generateCSR(caRootDir, privateKeyFile, csrFile) {
+    const subjectOpt = ` -subj "${this.subject.toString()}" `;
+    processAltNames({});
+    const options = { cwd: caRootDir };
+    const configFile = generateStaticConfig("conf/caconfig.cnf", options);
+    const configOption = ` -config ${q3(n4(configFile))}`;
+    await execute_openssl(
+      "req -new -sha256  -text  -extensions v3_ca_req" + configOption + " -key " + q3(n4(privateKeyFile)) + " -out " + q3(n4(csrFile)) + " " + subjectOpt,
+      options
+    );
+  }
+  /**
+   * Install an externally-signed CA certificate and generate
+   * the initial CRL.
+   *
+   * Call this after {@link initializeCSR} once the external
+   * root CA has signed the CSR.
+   *
+   * **Safety checks:**
+   * - Verifies that the certificate's public key matches the
+   *   CA private key before installing.
+   *
+   * @param signedCertFile - path to the PEM-encoded signed
+   *   CA certificate (issued by the external root CA)
+   * @returns an {@link InstallCACertificateResult} with
+   *   `status: "success"` or `status: "error"` and a `reason`
+   */
+  async installCACertificate(signedCertFile) {
+    const caRootDir = path5.resolve(this.rootDir);
+    const caCertFile = this.caCertificate;
+    const privateKeyFile = path5.join(caRootDir, "private/cakey.pem");
+    const fullPem = await fs7.promises.readFile(signedCertFile, "utf8");
+    const pemBlocks = fullPem.match(/-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g);
+    if (!pemBlocks || pemBlocks.length === 0) {
+      return {
+        status: "error",
+        reason: "no_certificate_found",
+        message: "The provided file does not contain any PEM-encoded certificate."
+      };
+    }
+    const certDer = convertPEMtoDER(pemBlocks[0]);
+    const privateKey = readPrivateKey(privateKeyFile);
+    if (!certificateMatchesPrivateKey(certDer, privateKey)) {
+      return {
+        status: "error",
+        reason: "certificate_key_mismatch",
+        message: "The provided certificate does not match the CA private key. Ensure the certificate was signed from the CSR generated by initializeCSR()."
+      };
+    }
+    await fs7.promises.writeFile(caCertFile, `${pemBlocks[0]}
+`);
+    const issuerChainFile = this.issuerCertificateChain;
+    if (pemBlocks.length > 1) {
+      const issuerPem = `${pemBlocks.slice(1).join("\n")}
+`;
+      await fs7.promises.writeFile(issuerChainFile, issuerPem);
+      debugLog(`Stored ${pemBlocks.length - 1} issuer certificate(s) in issuer_chain.pem`);
+    } else {
+      if (fs7.existsSync(issuerChainFile)) {
+        await fs7.promises.unlink(issuerChainFile);
+      }
+    }
+    const options = { cwd: caRootDir };
+    const configFile = generateStaticConfig("conf/caconfig.cnf", options);
+    const configOption = ` -config ${q3(n4(configFile))}`;
+    await regenerateCrl(this.revocationList, configOption, options);
+    return { status: "success" };
+  }
+  /**
+   * Sign a CSR with CA extensions (`v3_ca`), producing a
+   * subordinate CA certificate.
+   *
+   * Unlike {@link signCertificateRequest} which signs with
+   * end-entity extensions (SANs, etc.), this method signs
+   * with `basicConstraints = CA:TRUE` and `keyUsage =
+   * keyCertSign, cRLSign`.
+   *
+   * @param certFile - output path for the signed CA cert (PEM)
+   * @param csrFile - path to the subordinate CA's CSR
+   * @param params - signing parameters
+   */
+  async signCACertificateRequest(certFile, csrFile, params) {
+    const caRootDir = path5.resolve(this.rootDir);
+    const options = { cwd: caRootDir };
+    const configFile = generateStaticConfig("conf/caconfig.cnf", options);
+    const validity = params.validity ?? 3650;
+    await execute_openssl(
+      ` x509 -sha256 -req -days ${validity} -text  -extensions v3_ca -extfile ` + q3(n4(configFile)) + " -in " + q3(n4(csrFile)) + " -CA " + q3(n4(this.caCertificate)) + " -CAkey " + q3(n4(path5.join(caRootDir, "private/cakey.pem"))) + " -CAserial " + q3(n4(path5.join(caRootDir, "serial"))) + " -out " + q3(n4(certFile)),
+      options
+    );
+    await this.constructCertificateChain(certFile);
+  }
   /**
    * Rebuild the combined CA certificate + CRL file.
    *
@@ -1152,13 +1592,13 @@ var CertificateAuthority = class {
    */
   async constructCACertificateWithCRL() {
     const cacertWithCRL = this.caCertificateWithCrl;
-    if (fs6.existsSync(this.revocationList)) {
-      await fs6.promises.writeFile(
+    if (fs7.existsSync(this.revocationList)) {
+      await fs7.promises.writeFile(
         cacertWithCRL,
-        fs6.readFileSync(this.caCertificate, "utf8") + fs6.readFileSync(this.revocationList, "utf8")
+        fs7.readFileSync(this.caCertificate, "utf8") + fs7.readFileSync(this.revocationList, "utf8")
       );
     } else {
-      await fs6.promises.writeFile(cacertWithCRL, fs6.readFileSync(this.caCertificate));
+      await fs7.promises.writeFile(cacertWithCRL, fs7.readFileSync(this.caCertificate));
     }
   }
   /**
@@ -1168,14 +1608,15 @@ var CertificateAuthority = class {
    * @param certificate - path to the certificate file to extend
    */
   async constructCertificateChain(certificate) {
-    assert6(fs6.existsSync(certificate));
-    assert6(fs6.existsSync(this.caCertificate));
+    assert7(fs7.existsSync(certificate));
+    assert7(fs7.existsSync(this.caCertificate));
     debugLog(chalk5.yellow("        certificate file :"), chalk5.cyan(certificate));
-    await fs6.promises.writeFile(
-      certificate,
-      await fs6.promises.readFile(certificate, "utf8") + await fs6.promises.readFile(this.caCertificate, "utf8")
-      //   + fs.readFileSync(this.revocationList)
-    );
+    let chain = await fs7.promises.readFile(certificate, "utf8");
+    chain += await fs7.promises.readFile(this.caCertificate, "utf8");
+    if (fs7.existsSync(this.issuerCertificateChain)) {
+      chain += await fs7.promises.readFile(this.issuerCertificateChain, "utf8");
+    }
+    await fs7.promises.writeFile(certificate, chain);
   }
   /**
    * Create a self-signed certificate using OpenSSL.
@@ -1185,8 +1626,8 @@ var CertificateAuthority = class {
    * @param params - certificate parameters (subject, validity, SANs)
    */
   async createSelfSignedCertificate(certificateFile, privateKey, params) {
-    assert6(typeof privateKey === "string");
-    assert6(fs6.existsSync(privateKey));
+    assert7(typeof privateKey === "string");
+    assert7(fs7.existsSync(privateKey));
     if (!certificateFileExist(certificateFile)) {
       return;
     }
@@ -1194,7 +1635,7 @@ var CertificateAuthority = class {
     adjustApplicationUri(params);
     processAltNames(params);
     const csrFile = `${certificateFile}_csr`;
-    assert6(csrFile);
+    assert7(csrFile);
     const configFile = generateStaticConfig(this.configFile, { cwd: this.rootDir });
     const options = {
       cwd: this.rootDir,
@@ -1205,19 +1646,19 @@ var CertificateAuthority = class {
     const subjectOptions = subject && subject.length > 1 ? ` -subj ${subject} ` : "";
     displaySubtitle("- the certificate signing request");
     await execute_openssl(
-      "req  -new -sha256 -text " + configOption + subjectOptions + " -batch -key " + q(n2(privateKey)) + " -out " + q(n2(csrFile)),
+      "req  -new -sha256 -text " + configOption + subjectOptions + " -batch -key " + q3(n4(privateKey)) + " -out " + q3(n4(csrFile)),
       options
     );
     displaySubtitle("- creating the self-signed certificate");
     await execute_openssl(
-      "ca  -selfsign  -keyfile " + q(n2(privateKey)) + " -startdate " + x509Date(params.startDate) + " -enddate " + x509Date(params.endDate) + " -batch -out " + q(n2(certificateFile)) + " -in " + q(n2(csrFile)),
+      "ca  -selfsign  -keyfile " + q3(n4(privateKey)) + " -startdate " + x509Date(params.startDate) + " -enddate " + x509Date(params.endDate) + " -batch -out " + q3(n4(certificateFile)) + " -in " + q3(n4(csrFile)),
       options
     );
     displaySubtitle("- dump the certificate for a check");
-    await execute_openssl(`x509 -in ${q(n2(certificateFile))}  -dates -fingerprint -purpose -noout`, {});
+    await execute_openssl(`x509 -in ${q3(n4(certificateFile))}  -dates -fingerprint -purpose -noout`, {});
     displaySubtitle("- verify self-signed certificate");
-    await execute_openssl_no_failure(`verify -verbose -CAfile ${q(n2(certificateFile))} ${q(n2(certificateFile))}`, options);
-    await fs6.promises.unlink(csrFile);
+    await execute_openssl_no_failure(`verify -verbose -CAfile ${q3(n4(certificateFile))} ${q3(n4(certificateFile))}`, options);
+    await fs7.promises.unlink(csrFile);
   }
   /**
    * Revoke a certificate and regenerate the CRL.
@@ -1246,22 +1687,22 @@ var CertificateAuthority = class {
     setEnv("ALTNAME", "");
     const randomFile = path5.join(this.rootDir, "random.rnd");
     setEnv("RANDFILE", randomFile);
-    const configOption = ` -config ${q(n2(configFile))}`;
+    const configOption = ` -config ${q3(n4(configFile))}`;
     const reason = params.reason || "keyCompromise";
-    assert6(crlReasons.indexOf(reason) >= 0);
+    assert7(crlReasons.indexOf(reason) >= 0);
     displayTitle(`Revoking certificate  ${certificate}`);
     displaySubtitle("Revoke certificate");
-    await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q(certificate)} -crl_reason ${reason}`, options);
+    await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q3(certificate)} -crl_reason ${reason}`, options);
     await regenerateCrl(this.revocationList, configOption, options);
     displaySubtitle("Verify that certificate is revoked");
     await execute_openssl_no_failure(
-      "verify -verbose -CRLfile " + q(n2(this.revocationList)) + " -CAfile " + q(n2(this.caCertificate)) + " -crl_check " + q(n2(certificate)),
+      "verify -verbose -CRLfile " + q3(n4(this.revocationList)) + " -CAfile " + q3(n4(this.caCertificate)) + " -crl_check " + q3(n4(certificate)),
       options
     );
     displaySubtitle("Produce CRL in DER form ");
-    await execute_openssl(`crl  -in ${q(n2(this.revocationList))} -out crl/revocation_list.der  -outform der`, options);
+    await execute_openssl(`crl  -in ${q3(n4(this.revocationList))} -out crl/revocation_list.der  -outform der`, options);
     displaySubtitle("Produce CRL in PEM form ");
-    await execute_openssl(`crl  -in ${q(n2(this.revocationList))} -out crl/revocation_list.pem  -outform pem -text `, options);
+    await execute_openssl(`crl  -in ${q3(n4(this.revocationList))} -out crl/revocation_list.pem  -outform pem -text `, options);
   }
   /**
    * Sign a Certificate Signing Request (CSR) with this CA.
@@ -1277,7 +1718,7 @@ var CertificateAuthority = class {
    */
   async signCertificateRequest(certificate, certificateSigningRequestFilename, params1) {
     await ensure_openssl_installed();
-    assert6(fs6.existsSync(certificateSigningRequestFilename));
+    assert7(fs7.existsSync(certificateSigningRequestFilename));
     if (!certificateFileExist(certificate)) {
       return "";
     }
@@ -1304,11 +1745,11 @@ var CertificateAuthority = class {
     displaySubtitle("- then we ask the authority to sign the certificate signing request");
     const configOption = ` -config ${configFile}`;
     await execute_openssl(
-      "ca " + configOption + " -startdate " + x509Date(params1.startDate) + " -enddate " + x509Date(params1.endDate) + " -batch -out " + q(n2(certificate)) + " -in " + q(n2(certificateSigningRequestFilename)),
+      "ca " + configOption + " -startdate " + x509Date(params1.startDate) + " -enddate " + x509Date(params1.endDate) + " -batch -out " + q3(n4(certificate)) + " -in " + q3(n4(certificateSigningRequestFilename)),
       options
     );
     displaySubtitle("- dump the certificate for a check");
-    await execute_openssl(`x509 -in ${q(n2(certificate))}  -dates -fingerprint -purpose -noout`, options);
+    await execute_openssl(`x509 -in ${q3(n4(certificate))}  -dates -fingerprint -purpose -noout`, options);
     displaySubtitle("- construct CA certificate with CRL");
     await this.constructCACertificateWithCRL();
     displaySubtitle("- construct certificate chain");
@@ -1331,7 +1772,7 @@ var CertificateAuthority = class {
       const _configOption = ` -config ${configFile}`;
       _configOption;
       await execute_openssl_no_failure(
-        `verify -verbose  -CAfile ${q(n2(this.caCertificateWithCrl))} ${q(n2(certificate))}`,
+        `verify -verbose  -CAfile ${q3(n4(this.caCertificateWithCrl))} ${q3(n4(certificate))}`,
         options
       );
     }
@@ -1340,7 +1781,7 @@ var CertificateAuthority = class {
 
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
 import { EventEmitter } from "events";
-import fs9 from "fs";
+import fs10 from "fs";
 import path6 from "path";
 import { drainPendingLocks, withLock } from "@ster5/global-mutex";
 import chalk6 from "chalk";
@@ -1361,21 +1802,21 @@ import {
 } from "node-opcua-crypto";
 
 // packages/node-opcua-pki/lib/toolbox/without_openssl/create_certificate_signing_request.ts
-import assert7 from "assert";
-import fs7 from "fs";
+import assert8 from "assert";
+import fs8 from "fs";
 import { createCertificateSigningRequest, pemToPrivateKey, Subject as Subject3 } from "node-opcua-crypto";
 async function createCertificateSigningRequestAsync(certificateSigningRequestFilename, params) {
-  assert7(params);
-  assert7(params.rootDir);
-  assert7(params.configFile);
-  assert7(params.privateKey);
-  assert7(typeof params.privateKey === "string");
-  assert7(fs7.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
-  assert7(fs7.existsSync(params.rootDir), "RootDir key must exist");
-  assert7(typeof certificateSigningRequestFilename === "string");
+  assert8(params);
+  assert8(params.rootDir);
+  assert8(params.configFile);
+  assert8(params.privateKey);
+  assert8(typeof params.privateKey === "string");
+  assert8(fs8.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
+  assert8(fs8.existsSync(params.rootDir), "RootDir key must exist");
+  assert8(typeof certificateSigningRequestFilename === "string");
   const subject = params.subject ? new Subject3(params.subject).toString() : void 0;
   displaySubtitle("- Creating a Certificate Signing Request with subtile");
-  const privateKeyPem = await fs7.promises.readFile(params.privateKey, "utf-8");
+  const privateKeyPem = await fs8.promises.readFile(params.privateKey, "utf-8");
   const privateKey = await pemToPrivateKey(privateKeyPem);
   const { csr } = await createCertificateSigningRequest({
     privateKey,
@@ -1385,38 +1826,38 @@ async function createCertificateSigningRequestAsync(certificateSigningRequestFil
     applicationUri: params.applicationUri,
     purpose: params.purpose
   });
-  await fs7.promises.writeFile(certificateSigningRequestFilename, csr, "utf-8");
+  await fs8.promises.writeFile(certificateSigningRequestFilename, csr, "utf-8");
   display(`- privateKey ${params.privateKey}`);
   display(`- certificateSigningRequestFilename ${certificateSigningRequestFilename}`);
 }
 
 // packages/node-opcua-pki/lib/toolbox/without_openssl/create_self_signed_certificate.ts
-import assert8 from "assert";
-import fs8 from "fs";
+import assert9 from "assert";
+import fs9 from "fs";
 import {
-  CertificatePurpose,
+  CertificatePurpose as CertificatePurpose2,
   createSelfSignedCertificate as createSelfSignedCertificate1,
   pemToPrivateKey as pemToPrivateKey2,
   Subject as Subject4
 } from "node-opcua-crypto";
 async function createSelfSignedCertificateAsync(certificate, params) {
-  params.purpose = params.purpose || CertificatePurpose.ForApplication;
-  assert8(params.purpose, "Please provide a Certificate Purpose");
-  assert8(fs8.existsSync(params.configFile));
-  assert8(fs8.existsSync(params.rootDir));
-  assert8(fs8.existsSync(params.privateKey));
+  params.purpose = params.purpose || CertificatePurpose2.ForApplication;
+  assert9(params.purpose, "Please provide a Certificate Purpose");
+  assert9(fs9.existsSync(params.configFile));
+  assert9(fs9.existsSync(params.rootDir));
+  assert9(fs9.existsSync(params.privateKey));
   if (!params.subject) {
     throw Error("Missing subject");
   }
-  assert8(typeof params.applicationUri === "string");
-  assert8(Array.isArray(params.dns));
+  assert9(typeof params.applicationUri === "string");
+  assert9(Array.isArray(params.dns));
   adjustDate(params);
-  assert8(Object.prototype.hasOwnProperty.call(params, "validity"));
+  assert9(Object.prototype.hasOwnProperty.call(params, "validity"));
   let subject = new Subject4(params.subject);
   subject = subject.toString();
   const purpose = params.purpose;
   displayTitle("Generate a certificate request");
-  const privateKeyPem = await fs8.promises.readFile(params.privateKey, "utf-8");
+  const privateKeyPem = await fs9.promises.readFile(params.privateKey, "utf-8");
   const privateKey = await pemToPrivateKey2(privateKeyPem);
   const { cert } = await createSelfSignedCertificate1({
     privateKey,
@@ -1429,19 +1870,15 @@ async function createSelfSignedCertificateAsync(certificate, params) {
     applicationUri: params.applicationUri,
     purpose
   });
-  await fs8.promises.writeFile(certificate, cert, "utf-8");
+  await fs9.promises.writeFile(certificate, cert, "utf-8");
 }
 async function createSelfSignedCertificate(certificate, params) {
   await createSelfSignedCertificateAsync(certificate, params);
 }
 
-// packages/node-opcua-pki/lib/pki/templates/simple_config_template.cnf.ts
-var config3 = '##################################################################################################\n## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\n################################################################################################################\n\ndistinguished_name       = req_distinguished_name\ndefault_md               = sha1\n\ndefault_md                = sha256                      # The default digest algorithm\n\n[ v3_ca ]\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier      = keyid:always,issuer:always\n\n# authorityKeyIdentifier    = keyid\nbasicConstraints            = CA:TRUE\nkeyUsage                    = critical, cRLSign, keyCertSign\nnsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"\n#nsCertType                 = sslCA, emailCA\n#subjectAltName             = email:copy\n#issuerAltName              = issuer:copy\n#obj                        = DER:02:03\n# crlDistributionPoints       = @crl_info\n# [ crl_info ]\n# URI.0                     = http://localhost:8900/crl.pem\nsubjectAltName              = $ENV::ALTNAME\n\n[ req ]\ndays                      = 390\nreq_extensions            = v3_req\nx509_extensions           = v3_ca\n\n[v3_req]\nbasicConstraints       = CA:false\nkeyUsage               = critical, cRLSign, keyCertSign\nsubjectAltName         = $ENV::ALTNAME\n\n[ v3_ca_signed]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "certificate generated by Node-OPCUA Certificate utility and signed by a CA"\nsubjectAltName            = $ENV::ALTNAME\n[ v3_selfsigned]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"\nsubjectAltName            = $ENV::ALTNAME\n[ req_distinguished_name ]\ncountryName             = Country Name (2 letter code)\ncountryName_default     = FR\ncountryName_min         = 2\ncountryName_max         = 2\n# stateOrProvinceName     = State or Province Name (full name)\n# stateOrProvinceName_default = Ile de France\n# localityName            = Locality Name (city, district)\n# localityName_default    = Paris\norganizationName          = Organization Name (company)\norganizationName_default  = NodeOPCUA\n# organizationalUnitName  = Organizational Unit Name (department, division)\n# organizationalUnitName_default = R&D\ncommonName                = Common Name (hostname, FQDN, IP, or your name)\ncommonName_max            = 256\ncommonName_default        = NodeOPCUA\n# emailAddress            = Email Address\n# emailAddress_max        = 40\n# emailAddress_default    = node-opcua (at) node-opcua (dot) com\nsubjectAltName            = $ENV::ALTNAME';
-var simple_config_template_cnf_default = config3;
-
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
-var configurationFileSimpleTemplate = simple_config_template_cnf_default;
-var fsWriteFile = fs9.promises.writeFile;
+var configurationFileSimpleTemplate2 = simple_config_template_cnf_default;
+var fsWriteFile = fs10.promises.writeFile;
 function getOrComputeInfo(entry) {
   if (!entry.info) {
     entry.info = exploreCertificateCached(entry.certificate);
@@ -1668,7 +2105,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
     this.#location = makePath(options.location, "");
     this.keySize = options.keySize;
     mkdirRecursiveSync(options.location);
-    if (!fs9.existsSync(this.#location)) {
+    if (!fs10.existsSync(this.#location)) {
       throw new Error(`CertificateManager cannot access location ${this.#location}`);
     }
   }
@@ -1981,15 +2418,15 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
     mkdirRecursiveSync(path6.join(pkiDir, "issuers"));
     mkdirRecursiveSync(path6.join(pkiDir, "issuers/certs"));
     mkdirRecursiveSync(path6.join(pkiDir, "issuers/crl"));
-    if (!fs9.existsSync(this.configFile) || !fs9.existsSync(this.privateKey)) {
+    if (!fs10.existsSync(this.configFile) || !fs10.existsSync(this.privateKey)) {
       return await this.withLock2(async () => {
         if (this.state === 3 /* Disposing */ || this.state === 4 /* Disposed */) {
           return;
         }
-        if (!fs9.existsSync(this.configFile)) {
-          fs9.writeFileSync(this.configFile, configurationFileSimpleTemplate);
+        if (!fs10.existsSync(this.configFile)) {
+          fs10.writeFileSync(this.configFile, configurationFileSimpleTemplate2);
         }
-        if (!fs9.existsSync(this.privateKey)) {
+        if (!fs10.existsSync(this.privateKey)) {
           debugLog("generating private key ...");
           await generatePrivateKeyFile2(this.privateKey, this.keySize);
           await this.#readCertificates();
@@ -2079,7 +2516,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
     if (typeof params.applicationUri !== "string") {
       throw new Error("createSelfSignedCertificate: expecting applicationUri to be a string");
     }
-    if (!fs9.existsSync(this.privateKey)) {
+    if (!fs10.existsSync(this.privateKey)) {
       throw new Error(`Cannot find private key ${this.privateKey}`);
     }
     let certificateFilename = path6.join(this.rootDir, "own/certs/self_signed_certificate.pem");
@@ -2143,7 +2580,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       return "Good" /* Good */;
     }
     const filename = path6.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);
-    await fs9.promises.writeFile(filename, pemCertificate, "ascii");
+    await fs10.promises.writeFile(filename, pemCertificate, "ascii");
     this.#thumbs.issuers.certs.set(fingerprint, { certificate, filename });
     if (addInTrustList) {
       await this.trustCertificate(certificate);
@@ -2166,8 +2603,9 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
           index.set(key, { crls: [], serialNumbers: {} });
         }
         const pemCertificate = toPem2(crl, "X509 CRL");
-        const filename = path6.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
-        await fs9.promises.writeFile(filename, pemCertificate, "ascii");
+        const sanitizedKey = key.replace(/:/g, "");
+        const filename = path6.join(folder, `crl_[${sanitizedKey}].pem`);
+        await fs10.promises.writeFile(filename, pemCertificate, "ascii");
         await this.#onCrlFileAdded(index, filename);
         await this.#waitAndCheckCRLProcessingStatus();
         return "Good" /* Good */;
@@ -2186,11 +2624,11 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
   async clearRevocationLists(target) {
     const clearFolder = async (folder, index) => {
       try {
-        const files = await fs9.promises.readdir(folder);
+        const files = await fs10.promises.readdir(folder);
         for (const file of files) {
           const ext = path6.extname(file).toLowerCase();
           if (ext === ".crl" || ext === ".pem" || ext === ".der") {
-            await fs9.promises.unlink(path6.join(folder, file));
+            await fs10.promises.unlink(path6.join(folder, file));
           }
         }
       } catch (err) {
@@ -2232,7 +2670,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       return null;
     }
     try {
-      await fs9.promises.unlink(entry.filename);
+      await fs10.promises.unlink(entry.filename);
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -2256,7 +2694,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       return null;
     }
     try {
-      await fs9.promises.unlink(entry.filename);
+      await fs10.promises.unlink(entry.filename);
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -2279,7 +2717,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       if (!crlData) return;
       for (const crlEntry of crlData.crls) {
         try {
-          await fs9.promises.unlink(crlEntry.filename);
+          await fs10.promises.unlink(crlEntry.filename);
         } catch (err) {
           if (err.code !== "ENOENT") {
             throw err;
@@ -2432,7 +2870,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       if (status === "unknown") {
         const pem = toPem2(certificate, "CERTIFICATE");
         const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
-        await fs9.promises.writeFile(filename, pem);
+        await fs10.promises.writeFile(filename, pem);
         this.#thumbs.rejected.set(fingerprint, { certificate, filename });
         status = "rejected";
       }
@@ -2451,7 +2889,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
         const certificateDest = path6.join(destFolder, path6.basename(srcEntry.filename));
         debugLog("#moveCertificate", fingerprint.substring(0, 10), "old name", srcEntry.filename);
         debugLog("#moveCertificate", fingerprint.substring(0, 10), "new name", certificateDest);
-        await fs9.promises.rename(srcEntry.filename, certificateDest);
+        await fs10.promises.rename(srcEntry.filename, certificateDest);
         indexSrc.delete(fingerprint);
         const indexDest = newStatus === "trusted" ? this.#thumbs.trusted : this.#thumbs.rejected;
         indexDest.set(fingerprint, { certificate, filename: certificateDest });
@@ -2561,11 +2999,11 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       persistent: false
     };
     const allCapturedHandles = [];
-    const origWatch = fs9.watch;
+    const origWatch = fs10.watch;
     let watcherReadyCount = 0;
     const totalWatchers = 5;
-    fs9.watch = ((...args) => {
-      const handle = origWatch.apply(fs9, args);
+    fs10.watch = ((...args) => {
+      const handle = origWatch.apply(fs10, args);
       handle.setMaxListeners(handle.getMaxListeners() + 1);
       handle.on("error", () => {
       });
@@ -2581,7 +3019,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
         }
         watcherReadyCount++;
         if (watcherReadyCount >= totalWatchers) {
-          fs9.watch = origWatch;
+          fs10.watch = origWatch;
         }
       };
       return { w, capturedHandles: allCapturedHandles.slice(startIdx), unreffAll };
@@ -2605,12 +3043,12 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
    * file reads, preventing main-loop stalls with large folders.
    */
   async #scanCertFolder(folder, index) {
-    if (!fs9.existsSync(folder)) return;
-    const files = await fs9.promises.readdir(folder);
+    if (!fs10.existsSync(folder)) return;
+    const files = await fs10.promises.readdir(folder);
     for (const file of files) {
       const filename = path6.join(folder, file);
       try {
-        const stat = await fs9.promises.stat(filename);
+        const stat = await fs10.promises.stat(filename);
         if (!stat.isFile()) continue;
         const certificate = await readCertificateAsync(filename);
         const info = exploreCertificateCached(certificate);
@@ -2626,12 +3064,12 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
    * Scan a CRL folder and populate the in-memory CRL index.
    */
   async #scanCrlFolder(folder, index) {
-    if (!fs9.existsSync(folder)) return;
-    const files = await fs9.promises.readdir(folder);
+    if (!fs10.existsSync(folder)) return;
+    const files = await fs10.promises.readdir(folder);
     for (const file of files) {
       const filename = path6.join(folder, file);
       try {
-        const stat = await fs9.promises.stat(filename);
+        const stat = await fs10.promises.stat(filename);
         if (!stat.isFile()) continue;
         this.#onCrlFileAdded(index, filename);
       } catch (err) {
@@ -2756,65 +3194,6 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
     });
   }
 };
-
-// packages/node-opcua-pki/lib/pki/toolbox_pfx.ts
-import assert9 from "assert";
-import fs10 from "fs";
-var q2 = quote;
-var n3 = makePath;
-async function createPFX(options) {
-  const { certificateFile, privateKeyFile, outputFile, passphrase = "", caCertificateFiles } = options;
-  assert9(fs10.existsSync(certificateFile), `Certificate file does not exist: ${certificateFile}`);
-  assert9(fs10.existsSync(privateKeyFile), `Private key file does not exist: ${privateKeyFile}`);
-  let cmd = `pkcs12 -export`;
-  cmd += ` -in ${q2(n3(certificateFile))}`;
-  cmd += ` -inkey ${q2(n3(privateKeyFile))}`;
-  if (caCertificateFiles) {
-    for (const caFile of caCertificateFiles) {
-      assert9(fs10.existsSync(caFile), `CA certificate file does not exist: ${caFile}`);
-      cmd += ` -certfile ${q2(n3(caFile))}`;
-    }
-  }
-  cmd += ` -out ${q2(n3(outputFile))}`;
-  cmd += ` -passout pass:${passphrase}`;
-  await execute_openssl(cmd, {});
-}
-async function extractCertificateFromPFX(options) {
-  const { pfxFile, passphrase = "" } = options;
-  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
-  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -clcerts -nokeys -nodes -passin pass:${passphrase}`;
-  return await execute_openssl(cmd, {});
-}
-async function extractPrivateKeyFromPFX(options) {
-  const { pfxFile, passphrase = "" } = options;
-  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
-  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -nocerts -nodes -passin pass:${passphrase}`;
-  return await execute_openssl(cmd, {});
-}
-async function extractCACertificatesFromPFX(options) {
-  const { pfxFile, passphrase = "" } = options;
-  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
-  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -cacerts -nokeys -nodes -passin pass:${passphrase}`;
-  return await execute_openssl(cmd, {});
-}
-async function extractAllFromPFX(options) {
-  const [certificate, privateKey, caCertificates] = await Promise.all([
-    extractCertificateFromPFX(options),
-    extractPrivateKeyFromPFX(options),
-    extractCACertificatesFromPFX(options)
-  ]);
-  return { certificate, privateKey, caCertificates };
-}
-async function convertPFXtoPEM(pfxFile, pemFile, passphrase = "") {
-  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
-  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -out ${q2(n3(pemFile))} -nodes -passin pass:${passphrase}`;
-  await execute_openssl(cmd, {});
-}
-async function dumpPFX(pfxFile, passphrase = "") {
-  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
-  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -info -nodes -passin pass:${passphrase}`;
-  return await execute_openssl(cmd, {});
-}
 export {
   CertificateAuthority,
   CertificateManager,