node-opcua-pki 6.12.0 → 6.12.2

package/dist/index.d.mts

@@ -771,6 +771,7 @@ declare enum VerificationStatus {
     /** Validation OK. */
     Good = "Good"
 }
+declare function coerceCertificateChain(certificate: Certificate | Certificate[]): Certificate[];
 declare function makeFingerprint(certificate: Certificate | Certificate[] | CertificateRevocationList): string;
 /**
  * Check if the provided certificate acts as an issuer (CA)
@@ -918,15 +919,15 @@ declare class CertificateManager extends EventEmitter {
     /**
      * Move a certificate to the rejected store.
      * If the certificate was previously trusted, it will be removed from the trusted folder.
-     * @param certificate - the DER-encoded certificate
+     * @param certificateOrChain - the DER-encoded certificate or certificate chain
      */
-    rejectCertificate(certificate: Certificate): Promise<void>;
+    rejectCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
     /**
      * Move a certificate to the trusted store.
      * If the certificate was previously rejected, it will be removed from the rejected folder.
-     * @param certificate - the DER-encoded certificate
+     * @param certificateOrChain - the DER-encoded certificate or certificate chain
      */
-    trustCertificate(certificate: Certificate): Promise<void>;
+    trustCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
     /**
      * Check whether the trusted certificate store is empty.
      *
@@ -961,7 +962,7 @@ declare class CertificateManager extends EventEmitter {
      * @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
      *   or `"BadCertificateInvalid"` if the certificate cannot be parsed.
      */
-    isCertificateTrusted(certificate: Certificate): Promise<"Good" | "BadCertificateUntrusted" | "BadCertificateInvalid">;
+    isCertificateTrusted(certificateOrCertificateChain: Certificate | Certificate[]): Promise<"Good" | "BadCertificateUntrusted" | "BadCertificateInvalid">;
     /**
      * Internal verification hook called by {@link verifyCertificate}.
      *
@@ -1304,4 +1305,4 @@ declare function dumpPFX(pfxFile: Filename, passphrase?: string): Promise<string
  */
 declare function install_prerequisite(): Promise<string>;
 
-export { type AddCertificateValidationOptions, CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type GenerateKeyPairAndSignOptions, type GenerateKeyPairAndSignPFXOptions, type InitializeCSRResult, type InstallCACertificateResult, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type SignCertificateOptions, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, isIntermediateIssuer, isIssuer, isRootIssuer, makeFingerprint, quote };
+export { type AddCertificateValidationOptions, CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type GenerateKeyPairAndSignOptions, type GenerateKeyPairAndSignPFXOptions, type InitializeCSRResult, type InstallCACertificateResult, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type SignCertificateOptions, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, coerceCertificateChain, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, isIntermediateIssuer, isIssuer, isRootIssuer, makeFingerprint, quote };

package/dist/index.d.ts

@@ -771,6 +771,7 @@ declare enum VerificationStatus {
     /** Validation OK. */
     Good = "Good"
 }
+declare function coerceCertificateChain(certificate: Certificate | Certificate[]): Certificate[];
 declare function makeFingerprint(certificate: Certificate | Certificate[] | CertificateRevocationList): string;
 /**
  * Check if the provided certificate acts as an issuer (CA)
@@ -918,15 +919,15 @@ declare class CertificateManager extends EventEmitter {
     /**
      * Move a certificate to the rejected store.
      * If the certificate was previously trusted, it will be removed from the trusted folder.
-     * @param certificate - the DER-encoded certificate
+     * @param certificateOrChain - the DER-encoded certificate or certificate chain
      */
-    rejectCertificate(certificate: Certificate): Promise<void>;
+    rejectCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
     /**
      * Move a certificate to the trusted store.
      * If the certificate was previously rejected, it will be removed from the rejected folder.
-     * @param certificate - the DER-encoded certificate
+     * @param certificateOrChain - the DER-encoded certificate or certificate chain
      */
-    trustCertificate(certificate: Certificate): Promise<void>;
+    trustCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
     /**
      * Check whether the trusted certificate store is empty.
      *
@@ -961,7 +962,7 @@ declare class CertificateManager extends EventEmitter {
      * @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
      *   or `"BadCertificateInvalid"` if the certificate cannot be parsed.
      */
-    isCertificateTrusted(certificate: Certificate): Promise<"Good" | "BadCertificateUntrusted" | "BadCertificateInvalid">;
+    isCertificateTrusted(certificateOrCertificateChain: Certificate | Certificate[]): Promise<"Good" | "BadCertificateUntrusted" | "BadCertificateInvalid">;
     /**
      * Internal verification hook called by {@link verifyCertificate}.
      *
@@ -1304,4 +1305,4 @@ declare function dumpPFX(pfxFile: Filename, passphrase?: string): Promise<string
  */
 declare function install_prerequisite(): Promise<string>;
 
-export { type AddCertificateValidationOptions, CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type GenerateKeyPairAndSignOptions, type GenerateKeyPairAndSignPFXOptions, type InitializeCSRResult, type InstallCACertificateResult, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type SignCertificateOptions, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, isIntermediateIssuer, isIssuer, isRootIssuer, makeFingerprint, quote };
+export { type AddCertificateValidationOptions, CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerEvents, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CertificateStore, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type CrlStore, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type GenerateKeyPairAndSignOptions, type GenerateKeyPairAndSignPFXOptions, type InitializeCSRResult, type InstallCACertificateResult, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type SignCertificateOptions, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, coerceCertificateChain, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, isIntermediateIssuer, isIssuer, isRootIssuer, makeFingerprint, quote };

package/dist/index.js

@@ -37,6 +37,7 @@ __export(lib_exports, {
   VerificationStatus: () => VerificationStatus,
   adjustApplicationUri: () => adjustApplicationUri,
   adjustDate: () => adjustDate,
+  coerceCertificateChain: () => coerceCertificateChain,
   convertPFXtoPEM: () => convertPFXtoPEM,
   createPFX: () => createPFX,
   dumpPFX: () => dumpPFX,
@@ -744,7 +745,7 @@ async function createCertificateSigningRequestWithOpenSSL(certificateSigningRequ
 }
 
 // packages/node-opcua-pki/lib/pki/templates/simple_config_template.cnf.ts
-var config = '##################################################################################################\n## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\n################################################################################################################\n\ndistinguished_name       = req_distinguished_name\ndefault_md               = sha1\n\ndefault_md                = sha256                      # The default digest algorithm\n\n[ v3_ca ]\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier      = keyid:always,issuer:always\n\n# authorityKeyIdentifier    = keyid\nbasicConstraints            = CA:TRUE\nkeyUsage                    = critical, cRLSign, keyCertSign\nnsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"\n#nsCertType                 = sslCA, emailCA\n#subjectAltName             = email:copy\n#issuerAltName              = issuer:copy\n#obj                        = DER:02:03\n# crlDistributionPoints       = @crl_info\n# [ crl_info ]\n# URI.0                     = http://localhost:8900/crl.pem\nsubjectAltName              = $ENV::ALTNAME\n\n[ req ]\ndays                      = 390\nreq_extensions            = v3_req\nx509_extensions           = v3_ca\n\n[v3_req]\nbasicConstraints       = CA:false\nkeyUsage               = critical, cRLSign, keyCertSign\nsubjectAltName         = $ENV::ALTNAME\n\n[ v3_ca_signed]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "certificate generated by Node-OPCUA Certificate utility and signed by a CA"\nsubjectAltName            = $ENV::ALTNAME\n[ v3_selfsigned]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"\nsubjectAltName            = $ENV::ALTNAME\n[ req_distinguished_name ]\ncountryName             = Country Name (2 letter code)\ncountryName_default     = FR\ncountryName_min         = 2\ncountryName_max         = 2\n# stateOrProvinceName     = State or Province Name (full name)\n# stateOrProvinceName_default = Ile de France\n# localityName            = Locality Name (city, district)\n# localityName_default    = Paris\norganizationName          = Organization Name (company)\norganizationName_default  = NodeOPCUA\n# organizationalUnitName  = Organizational Unit Name (department, division)\n# organizationalUnitName_default = R&D\ncommonName                = Common Name (hostname, FQDN, IP, or your name)\ncommonName_max            = 256\ncommonName_default        = NodeOPCUA\n# emailAddress            = Email Address\n# emailAddress_max        = 40\n# emailAddress_default    = node-opcua (at) node-opcua (dot) com\nsubjectAltName            = $ENV::ALTNAME';
+var config = '##################################################################################################\n## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\n################################################################################################################\n\ndistinguished_name       = req_distinguished_name\ndefault_md               = sha1\n\ndefault_md                = sha256                      # The default digest algorithm\n\n[ v3_ca ]\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier      = keyid:always,issuer:always\n\n# authorityKeyIdentifier    = keyid\nbasicConstraints            = CA:TRUE\nkeyUsage                    = critical, cRLSign, keyCertSign\nnsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"\n#nsCertType                 = sslCA, emailCA\n#subjectAltName             = email:copy\n#issuerAltName              = issuer:copy\n#obj                        = DER:02:03\n# crlDistributionPoints       = @crl_info\n# [ crl_info ]\n# URI.0                     = http://localhost:8900/crl.pem\nsubjectAltName              = $ENV::ALTNAME\n\n[ req ]\ndays                      = 390\nreq_extensions            = v3_req\nx509_extensions           = v3_ca\n\n[v3_req]\nbasicConstraints       = CA:false\nkeyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nsubjectAltName         = $ENV::ALTNAME\n\n[ v3_ca_signed]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "certificate generated by Node-OPCUA Certificate utility and signed by a CA"\nsubjectAltName            = $ENV::ALTNAME\n[ v3_selfsigned]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"\nsubjectAltName            = $ENV::ALTNAME\n[ req_distinguished_name ]\ncountryName             = Country Name (2 letter code)\ncountryName_default     = FR\ncountryName_min         = 2\ncountryName_max         = 2\n# stateOrProvinceName     = State or Province Name (full name)\n# stateOrProvinceName_default = Ile de France\n# localityName            = Locality Name (city, district)\n# localityName_default    = Paris\norganizationName          = Organization Name (company)\norganizationName_default  = NodeOPCUA\n# organizationalUnitName  = Organizational Unit Name (department, division)\n# organizationalUnitName_default = R&D\ncommonName                = Common Name (hostname, FQDN, IP, or your name)\ncommonName_max            = 256\ncommonName_default        = NodeOPCUA\n# emailAddress            = Email Address\n# emailAddress_max        = 40\n# emailAddress_default    = node-opcua (at) node-opcua (dot) com\nsubjectAltName            = $ENV::ALTNAME';
 var simple_config_template_cnf_default = config;
 
 // packages/node-opcua-pki/lib/ca/templates/ca_config_template.cnf.ts
@@ -839,7 +840,7 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsRenewalUrl             =
 #nsCaPolicyUrl            =
 #nsSslServerName          =
-keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
+keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
 
 [ v3_req ]
@@ -1930,8 +1931,17 @@ var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   VerificationStatus2["Good"] = "Good";
   return VerificationStatus2;
 })(VerificationStatus || {});
+function coerceCertificateChain(certificate) {
+  if (Array.isArray(certificate)) {
+    if (certificate.length === 0) return [];
+    return certificate.reduce((acc, cert) => {
+      return acc.concat((0, import_node_opcua_crypto5.split_der)(cert));
+    }, []);
+  }
+  return (0, import_node_opcua_crypto5.split_der)(certificate);
+}
 function makeFingerprint(certificate) {
-  const chain = Array.isArray(certificate) ? certificate : (0, import_node_opcua_crypto5.split_der)(certificate);
+  const chain = coerceCertificateChain(certificate);
   return (0, import_node_opcua_crypto5.makeSHA1Thumbprint)(chain[0]).toString("hex");
 }
 function short(stringToShorten) {
@@ -1939,9 +1949,10 @@ function short(stringToShorten) {
 }
 var forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
 function buildIdealCertificateName(certificate) {
-  const fingerprint = makeFingerprint(certificate);
+  const chain = coerceCertificateChain(certificate);
+  const fingerprint = makeFingerprint(chain);
   try {
-    const commonName = (0, import_node_opcua_crypto5.exploreCertificate)(certificate).tbsCertificate.subject.commonName || "";
+    const commonName = (0, import_node_opcua_crypto5.exploreCertificate)(chain[0]).tbsCertificate.subject.commonName || "";
     const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
     return `${sanitizedCommonName}[${fingerprint}]`;
   } catch (_err) {
@@ -2003,7 +2014,8 @@ function isRootIssuer(certificate) {
   }
 }
 function findIssuerCertificateInChain(certificate, chain) {
-  const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+  const coercedCertificate = coerceCertificateChain(certificate);
+  const firstCertificate = coercedCertificate[0];
   if (!firstCertificate) {
     return null;
   }
@@ -2016,7 +2028,8 @@ function findIssuerCertificateInChain(certificate, chain) {
     debugLog("Certificate has no extension 3");
     return null;
   }
-  const potentialIssuers = chain.filter((c) => {
+  const coercedChain = coerceCertificateChain(chain);
+  const potentialIssuers = coercedChain.filter((c) => {
     const info = (0, import_node_opcua_crypto5.exploreCertificate)(c);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
@@ -2186,18 +2199,18 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
   /**
    * Move a certificate to the rejected store.
    * If the certificate was previously trusted, it will be removed from the trusted folder.
-   * @param certificate - the DER-encoded certificate
+   * @param certificateOrChain - the DER-encoded certificate or certificate chain
    */
-  async rejectCertificate(certificate) {
-    await this.#moveCertificate(certificate, "rejected");
+  async rejectCertificate(certificateOrChain) {
+    await this.#moveCertificate(certificateOrChain, "rejected");
   }
   /**
    * Move a certificate to the trusted store.
    * If the certificate was previously rejected, it will be removed from the rejected folder.
-   * @param certificate - the DER-encoded certificate
+   * @param certificateOrChain - the DER-encoded certificate or certificate chain
    */
-  async trustCertificate(certificate) {
-    await this.#moveCertificate(certificate, "trusted");
+  async trustCertificate(certificateOrChain) {
+    await this.#moveCertificate(certificateOrChain, "trusted");
   }
   /**
    * Check whether the trusted certificate store is empty.
@@ -2251,37 +2264,46 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    * @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
    *   or `"BadCertificateInvalid"` if the certificate cannot be parsed.
    */
-  async isCertificateTrusted(certificate) {
-    let fingerprint;
+  async isCertificateTrusted(certificateOrCertificateChain) {
     try {
-      fingerprint = makeFingerprint(certificate);
-    } catch (_err) {
-      return "BadCertificateInvalid";
-    }
-    if (this.#thumbs.trusted.has(fingerprint)) {
-      return "Good";
-    }
-    if (!this.#thumbs.rejected.has(fingerprint)) {
-      if (!this.untrustUnknownCertificate) {
-        return "Good";
+      const chain = coerceCertificateChain(certificateOrCertificateChain);
+      const leafCertificate = chain[0];
+      if (chain.length < 1) {
+        return "BadCertificateInvalid";
       }
+      let fingerprint;
       try {
-        (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
+        fingerprint = makeFingerprint(chain[0]);
       } catch (_err) {
         return "BadCertificateInvalid";
       }
-      const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
-      debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
-      await fsWriteFile(filename, (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE"));
-      this.#thumbs.rejected.set(fingerprint, { certificate, filename });
+      if (this.#thumbs.trusted.has(fingerprint)) {
+        return "Good";
+      }
+      if (!this.#thumbs.rejected.has(fingerprint)) {
+        if (!this.untrustUnknownCertificate) {
+          return "Good";
+        }
+        try {
+          (0, import_node_opcua_crypto5.exploreCertificateInfo)(chain[0]);
+        } catch (_err) {
+          return "BadCertificateInvalid";
+        }
+        const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(leafCertificate)}.pem`);
+        debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
+        await fsWriteFile(filename, (0, import_node_opcua_crypto5.toPem)(chain, "CERTIFICATE"));
+        this.#thumbs.rejected.set(fingerprint, { certificate: leafCertificate, filename });
+      }
+      return "BadCertificateUntrusted";
+    } catch (_err) {
+      return "BadCertificateInvalid";
     }
-    return "BadCertificateUntrusted";
   }
   async #innerVerifyCertificateAsync(certificateOrChain, _isIssuer, level, options) {
     if (level >= 5) {
       return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
     }
-    const chain = Array.isArray(certificateOrChain) ? certificateOrChain : [certificateOrChain];
+    const chain = coerceCertificateChain(certificateOrChain);
     debugLog("NB CERTIFICATE IN CHAIN = ", chain.length);
     const info = (0, import_node_opcua_crypto5.exploreCertificate)(chain[0]);
     let hasValidIssuer = false;
@@ -2336,7 +2358,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
           return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
         }
         hasValidIssuer = true;
-        let revokedStatus = await this.isCertificateRevoked(certificateOrChain);
+        let revokedStatus = await this.isCertificateRevoked(chain, issuerCertificate);
         if (revokedStatus === "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */) {
           if (options?.ignoreMissingRevocationList) {
             revokedStatus = "Good" /* Good */;
@@ -2361,11 +2383,11 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
           debugLog("Self-signed Certificate signature is not valid");
           return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
         }
-        const revokedStatus = await this.isCertificateRevoked(certificateOrChain);
+        const revokedStatus = await this.isCertificateRevoked(chain);
         debugLog("revokedStatus of self signed certificate:", revokedStatus);
       }
     }
-    const status = await this.#checkRejectedOrTrusted(certificateOrChain);
+    const status = await this.#checkRejectedOrTrusted(chain[0]);
     if (status === "rejected") {
       if (!(options.acceptCertificateWithValidIssuerChain && hasValidIssuer && hasTrustedIssuer)) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
@@ -2423,17 +2445,15 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    * @returns the verification status code
    */
   async verifyCertificateAsync(certificate, options) {
-    if (!Array.isArray(certificate)) {
+    const chain = coerceCertificateChain(certificate);
+    for (const element of chain) {
       try {
-        const derElements = (0, import_node_opcua_crypto5.split_der)(certificate);
-        for (const element of derElements) {
-          (0, import_node_opcua_crypto5.exploreCertificateInfo)(element);
-        }
+        (0, import_node_opcua_crypto5.exploreCertificateInfo)(element);
       } catch (_err) {
         return "BadCertificateInvalid" /* BadCertificateInvalid */;
       }
     }
-    const status1 = await this.#innerVerifyCertificateAsync(certificate, false, 0, options);
+    const status1 = await this.#innerVerifyCertificateAsync(chain, false, 0, options);
     return status1;
   }
   /**
@@ -2863,7 +2883,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
   async #addTrustedCertificateFromChainImpl(certificateChain) {
     let certificates;
     try {
-      certificates = Array.isArray(certificateChain) ? certificateChain : (0, import_node_opcua_crypto5.split_der)(certificateChain);
+      certificates = coerceCertificateChain(certificateChain);
     } catch (_err) {
       return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
@@ -2947,7 +2967,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
         return "BadCertificateInvalid" /* BadCertificateInvalid */;
       }
     }
-    await this.trustCertificate(leafCertificate);
+    await this.trustCertificate(certificates);
     return "Good" /* Good */;
   }
   /**
@@ -2990,7 +3010,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    *
    */
   async findIssuerCertificate(certificate) {
-    const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+    const firstCertificate = coerceCertificateChain(certificate)[0];
     const certInfo = (0, import_node_opcua_crypto5.exploreCertificate)(firstCertificate);
     if (isSelfSigned2(certInfo)) {
       return firstCertificate;
@@ -3027,7 +3047,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    * @private
    */
   async #checkRejectedOrTrusted(certificate) {
-    const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+    const firstCertificate = coerceCertificateChain(certificate)[0];
     const fingerprint = makeFingerprint(firstCertificate);
     debugLog("#checkRejectedOrTrusted fingerprint ", short(fingerprint));
     await this.#readCertificates();
@@ -3039,12 +3059,14 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
     }
     return "unknown";
   }
-  async #moveCertificate(certificate, newStatus) {
+  async #moveCertificate(certificateOrChain, newStatus) {
     await this.withLock2(async () => {
+      const chain = coerceCertificateChain(certificateOrChain);
+      const certificate = chain[0];
       const fingerprint = makeFingerprint(certificate);
       let status = await this.#checkRejectedOrTrusted(certificate);
       if (status === "unknown") {
-        const pem = (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE");
+        const pem = (0, import_node_opcua_crypto5.toPem)(chain, "CERTIFICATE");
         const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
         await import_node_fs10.default.promises.writeFile(filename, pem);
         this.#thumbs.rejected.set(fingerprint, { certificate, filename });
@@ -3094,13 +3116,17 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    *   found.
    */
   async isCertificateRevoked(certificate, issuerCertificate) {
-    const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+    const chain = coerceCertificateChain(certificate);
+    const firstCertificate = chain[0];
     if (isSelfSigned3(firstCertificate)) {
       return "Good" /* Good */;
     }
     if (!issuerCertificate) {
       issuerCertificate = await this.findIssuerCertificate(firstCertificate);
     }
+    if (!issuerCertificate) {
+      issuerCertificate = findIssuerCertificateInChain(firstCertificate, chain);
+    }
     if (!issuerCertificate) {
       return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
     }
@@ -3227,7 +3253,25 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
       try {
         const stat = await import_node_fs10.default.promises.stat(filename);
         if (!stat.isFile()) continue;
-        const certificate = (await (0, import_node_opcua_crypto5.readCertificateChainAsync)(filename))[0];
+        const certs = await (0, import_node_opcua_crypto5.readCertificateChainAsync)(filename);
+        if (certs.length === 0) continue;
+        const certificate = certs[0];
+        if (certs.length > 1) {
+          try {
+            await import_node_fs10.default.promises.writeFile(filename, (0, import_node_opcua_crypto5.toPem)(certs, "CERTIFICATE"), "ascii");
+          } catch (writeErr) {
+            debugLog(`scanCertFolder: could not rewrite legacy PEM ${filename} (read-only fs?)`, writeErr);
+          }
+          for (let i = 1; i < certs.length; i++) {
+            if (isIssuer(certs[i])) {
+              try {
+                await this.addIssuer(certs[i]);
+              } catch (issuerErr) {
+                debugLog(`scanCertFolder: could not auto-register issuer from ${filename}`, issuerErr);
+              }
+            }
+          }
+        }
         const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
         const fingerprint = makeFingerprint(certificate);
         index.set(fingerprint, { certificate, filename, info });
@@ -3380,6 +3424,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
   VerificationStatus,
   adjustApplicationUri,
   adjustDate,
+  coerceCertificateChain,
   convertPFXtoPEM,
   createPFX,
   dumpPFX,