node-opcua-pki 6.3.0 → 6.5.0

package/dist/index.d.mts

@@ -1,142 +1,317 @@
 import { SubjectOptions, CertificatePurpose, Subject, Certificate, DER, CertificateRevocationList } from 'node-opcua-crypto';
 export { Subject, SubjectOptions } from 'node-opcua-crypto';
 
+/** RSA key size in bits. */
 type KeySize = 1024 | 2048 | 3072 | 4096;
+/** Hex-encoded SHA-1 certificate thumbprint. */
 type Thumbprint = string;
+/** A filesystem path to a file. */
 type Filename = string;
+/** Status of a certificate in the trust store. */
 type CertificateStatus = "unknown" | "trusted" | "rejected";
 
+/**
+ * @deprecated Use {@link KeySize} instead.
+ */
 type KeyLength = 1024 | 2048 | 3072 | 4096;
 declare function quote(str?: string): string;
+/**
+ * Subject Alternative Name (SAN) parameters for certificate
+ * generation.
+ */
 interface ProcessAltNamesParam {
+    /** DNS host names to include in the SAN extension. */
     dns?: string[];
+    /** IP addresses to include in the SAN extension. */
     ip?: string[];
+    /** OPC UA application URI for the SAN extension. */
     applicationUri?: string;
 }
+/**
+ * Options for creating a Certificate Signing Request (CSR).
+ */
 interface CreateCertificateSigningRequestOptions extends ProcessAltNamesParam {
+    /** X.500 subject for the certificate. */
     subject?: SubjectOptions | string;
 }
+/**
+ * Extended CSR options that include filesystem paths and
+ * certificate purpose — used internally by the OpenSSL toolbox.
+ */
 interface CreateCertificateSigningRequestWithConfigOptions extends CreateCertificateSigningRequestOptions {
+    /** Root directory of the PKI store. */
     rootDir: Filename;
+    /** Path to the OpenSSL configuration file. */
     configFile: Filename;
+    /** Path to the private key file. */
     privateKey: Filename;
+    /** Intended purpose of the certificate. */
     purpose: CertificatePurpose;
 }
+/**
+ * Validity period parameters for certificate generation.
+ */
 interface StartDateEndDateParam {
+    /** Certificate "Not Before" date. Defaults to now. */
     startDate?: Date;
+    /** Certificate "Not After" date (computed from validity). */
     endDate?: Date;
+    /** Number of days the certificate is valid. @defaultValue 365 */
     validity?: number;
 }
+/**
+ * Parameters for creating a self-signed certificate.
+ */
 interface CreateSelfSignCertificateParam extends ProcessAltNamesParam, StartDateEndDateParam {
+    /** X.500 subject for the certificate. */
     subject?: SubjectOptions | string;
 }
+/**
+ * Extended self-signed certificate options that include
+ * filesystem paths and purpose — used internally.
+ */
 interface CreateSelfSignCertificateWithConfigParam extends CreateSelfSignCertificateParam {
+    /** Root directory of the PKI store. */
     rootDir: Filename;
+    /** Path to the OpenSSL configuration file. */
     configFile: Filename;
+    /** Path to the private key file. */
     privateKey: Filename;
+    /** Intended purpose of the certificate. */
     purpose: CertificatePurpose;
 }
+/**
+ * General-purpose parameters passed to CA operations such as
+ * {@link CertificateAuthority.signCertificateRequest} and
+ * {@link CertificateAuthority.revokeCertificate}.
+ */
 interface Params extends ProcessAltNamesParam, StartDateEndDateParam {
+    /** X.500 subject for the certificate. */
     subject?: SubjectOptions | string;
+    /** Path to the private key file. */
     privateKey?: string;
+    /** Path to the OpenSSL configuration file. */
     configFile?: string;
+    /** Root directory of the PKI store. */
     rootDir?: string;
+    /** Output filename for the generated certificate. */
     outputFile?: string;
+    /** CRL revocation reason (e.g. `"keyCompromise"`). */
     reason?: string;
 }
 declare function adjustDate(params: StartDateEndDateParam): void;
 declare function adjustApplicationUri(params: Params): void;
 
-declare function certificateFileExist(certificateFile: string): boolean;
-declare function mkdirRecursiveSync(folder: string): void;
-declare function makePath(folderName: string, filename?: string): string;
-
-declare const g_config: {
-    opensslVersion: string;
-    silent: boolean;
-    force: boolean;
-};
-
-declare const doDebug: string | boolean;
-declare const displayError = true;
-declare const displayDebug: boolean;
-declare function debugLog(...args: unknown[]): void;
-declare function warningLog(...args: unknown[]): void;
-
-declare function displayChapter(str: string): void;
-declare function displayTitle(str: string): void;
-declare function displaySubtitle(str: string): void;
-declare function display(str: string): void;
-
+/**
+ * Options for creating a {@link CertificateAuthority}.
+ */
 interface CertificateAuthorityOptions {
+    /** RSA key size for the CA private key. */
     keySize: KeySize;
+    /** Filesystem path where the CA directory structure is stored. */
     location: string;
+    /**
+     * X.500 subject for the CA certificate.
+     * Accepts a slash-delimited string (e.g. `"/CN=My CA/O=Acme"`) or
+     * a structured {@link SubjectOptions} object.
+     *
+     * @defaultValue {@link defaultSubject}
+     */
     subject?: string | SubjectOptions;
 }
+/**
+ * An OpenSSL-based Certificate Authority (CA) that can create,
+ * sign, and revoke X.509 certificates.
+ *
+ * The CA maintains a standard OpenSSL directory layout under
+ * {@link CertificateAuthority.rootDir | rootDir}:
+ *
+ * ```
+ * <location>/
+ *   ├── conf/           OpenSSL configuration
+ *   ├── private/        CA private key (cakey.pem)
+ *   ├── public/         CA certificate  (cacert.pem)
+ *   ├── certs/          Signed certificates
+ *   ├── crl/            Revocation lists
+ *   ├── serial          Next serial number
+ *   ├── crlnumber       Next CRL number
+ *   └── index.txt       Certificate database
+ * ```
+ *
+ * @example
+ * ```ts
+ * const ca = new CertificateAuthority({
+ *     keySize: 2048,
+ *     location: "/var/pki/CA"
+ * });
+ * await ca.initialize();
+ * ```
+ */
 declare class CertificateAuthority {
+    /** RSA key size used when generating the CA private key. */
     readonly keySize: KeySize;
+    /** Root filesystem path of the CA directory structure. */
     readonly location: string;
+    /** X.500 subject of the CA certificate. */
     readonly subject: Subject;
     constructor(options: CertificateAuthorityOptions);
+    /** Absolute path to the CA root directory (alias for {@link location}). */
     get rootDir(): string;
+    /** Path to the OpenSSL configuration file (`conf/caconfig.cnf`). */
     get configFile(): string;
+    /** Path to the CA certificate in PEM format (`public/cacert.pem`). */
     get caCertificate(): string;
     /**
-     * the file name where  the current Certificate Revocation List is stored (in DER format)
+     * Path to the current Certificate Revocation List in DER format.
+     * (`crl/revocation_list.der`)
      */
     get revocationListDER(): string;
     /**
-     * the file name where  the current Certificate Revocation List is stored (in PEM format)
+     * Path to the current Certificate Revocation List in PEM format.
+     * (`crl/revocation_list.crl`)
      */
     get revocationList(): string;
+    /**
+     * Path to the concatenated CA certificate + CRL file.
+     * Used by OpenSSL for CRL-based verification.
+     */
     get caCertificateWithCrl(): string;
+    /**
+     * Initialize the CA directory structure, generate the CA
+     * private key and self-signed certificate if they do not
+     * already exist.
+     */
     initialize(): Promise<void>;
+    /**
+     * Rebuild the combined CA certificate + CRL file.
+     *
+     * This concatenates the CA certificate with the current
+     * revocation list so that OpenSSL can verify certificates
+     * with CRL checking enabled.
+     */
     constructCACertificateWithCRL(): Promise<void>;
+    /**
+     * Append the CA certificate to a signed certificate file,
+     * creating a PEM certificate chain.
+     *
+     * @param certificate - path to the certificate file to extend
+     */
     constructCertificateChain(certificate: Filename): Promise<void>;
+    /**
+     * Create a self-signed certificate using OpenSSL.
+     *
+     * @param certificateFile - output path for the signed certificate
+     * @param privateKey - path to the private key file
+     * @param params - certificate parameters (subject, validity, SANs)
+     */
     createSelfSignedCertificate(certificateFile: Filename, privateKey: Filename, params: Params): Promise<void>;
     /**
-     * revoke a certificate and update the CRL
+     * Revoke a certificate and regenerate the CRL.
      *
-     * @method revokeCertificate
-     * @param certificate -  the certificate to revoke
-     * @param params
-     * @param [params.reason = "keyCompromise" {String}]
-     * @async
+     * @param certificate - path to the certificate file to revoke
+     * @param params - revocation parameters
+     * @param params.reason - CRL reason code
+     *   (default `"keyCompromise"`)
      */
     revokeCertificate(certificate: Filename, params: Params): Promise<void>;
     /**
+     * Sign a Certificate Signing Request (CSR) with this CA.
+     *
+     * The signed certificate is written to `certificate`, and the
+     * CA certificate chain plus CRL are appended to form a
+     * complete certificate chain.
      *
-     * @param certificate            - the certificate filename to generate
-     * @param certificateSigningRequestFilename   - the certificate signing request
-     * @param params                 - parameters
-     * @param params.applicationUri  - the applicationUri
-     * @param params.startDate       - startDate of the certificate
-     * @param params.validity        - number of day of validity of the certificate
+     * @param certificate - output path for the signed certificate
+     * @param certificateSigningRequestFilename - path to the CSR
+     * @param params1 - signing parameters (validity, dates, SANs)
+     * @returns the path to the signed certificate
      */
     signCertificateRequest(certificate: Filename, certificateSigningRequestFilename: Filename, params1: Params): Promise<Filename>;
+    /**
+     * Verify a certificate against this CA.
+     *
+     * @param certificate - path to the certificate file to verify
+     */
     verifyCertificate(certificate: Filename): Promise<void>;
 }
 
-declare function main(argumentsList: string | string[]): Promise<void>;
-
+/**
+ * Options for creating a {@link CertificateManager}.
+ */
 interface CertificateManagerOptions {
+    /**
+     * RSA key size for generated private keys.
+     * @defaultValue 2048
+     */
     keySize?: KeySize;
+    /** Filesystem path where the PKI directory structure is stored. */
     location: string;
 }
+/**
+ * Parameters for {@link createSelfSignedCertificate}.
+ * All fields from {@link CreateSelfSignCertificateParam} are required.
+ */
 interface CreateSelfSignCertificateParam1 extends CreateSelfSignCertificateParam {
+    /**
+     * Output path for the certificate.
+     * @defaultValue `"own/certs/self_signed_certificate.pem"`
+     */
     outputFile?: Filename;
+    /** X.500 subject for the certificate. */
     subject: SubjectOptions | string;
+    /** OPC UA application URI for the SAN extension. */
     applicationUri: string;
+    /** DNS host names to include in the SAN extension. */
     dns: string[];
+    /** Certificate "Not Before" date. */
     startDate: Date;
+    /** Number of days the certificate is valid. */
     validity: number;
 }
+/**
+ * Options to fine-tune certificate verification behaviour.
+ * Passed to {@link CertificateManager.verifyCertificate}.
+ *
+ * Without any options, `verifyCertificate` is **strict**: only
+ * certificates that are explicitly present in the trusted store
+ * will return {@link VerificationStatus.Good}. Unknown or
+ * rejected certificates return
+ * {@link VerificationStatus.BadCertificateUntrusted} even when
+ * their issuer chain is valid.
+ *
+ * Set {@link acceptCertificateWithValidIssuerChain} to `true`
+ * to accept certificates whose issuer chain validates against
+ * a trusted CA — even if the leaf certificate itself is not
+ * in the trusted store.
+ */
 interface VerifyCertificateOptions {
+    /** Accept certificates whose "Not After" date has passed. */
     acceptOutdatedCertificate?: boolean;
+    /** Accept issuer certificates whose "Not After" date has passed. */
     acceptOutDatedIssuerCertificate?: boolean;
+    /** Do not fail when a CRL is missing for an issuer. */
     ignoreMissingRevocationList?: boolean;
+    /** Accept certificates whose "Not Before" date is in the future. */
     acceptPendingCertificate?: boolean;
+    /**
+     * Accept a certificate that is not in the trusted store when
+     * its issuer (CA) certificate is trusted, the signature is
+     * valid, and the certificate does not appear in the CRL.
+     *
+     * When `false` (the default), only certificates explicitly
+     * placed in the trusted store are accepted — this is the
+     * same behaviour as {@link CertificateManager.isCertificateTrusted}.
+     *
+     * @defaultValue false
+     */
+    acceptCertificateWithValidIssuerChain?: boolean;
 }
+/**
+ * OPC UA certificate verification status codes.
+ *
+ * These mirror the OPC UA `StatusCode` values for certificate
+ * validation results.
+ */
 declare enum VerificationStatus {
     /** The certificate provided as a parameter is not valid. */
     BadCertificateInvalid = "BadCertificateInvalid",
@@ -171,7 +346,18 @@ declare enum VerificationStatus {
     /** Validation OK. */
     Good = "Good"
 }
+/**
+ * Find the issuer certificate for a given certificate within
+ * a provided certificate chain.
+ *
+ * @param certificate - the DER-encoded certificate whose issuer to find
+ * @param chain - candidate issuer certificates to search
+ * @returns the matching issuer certificate, or `null` if not found
+ */
 declare function findIssuerCertificateInChain(certificate: Certificate, chain: Certificate[]): Certificate | null;
+/**
+ * Lifecycle state of a {@link CertificateManager} instance.
+ */
 declare enum CertificateManagerState {
     Uninitialized = 0,
     Initializing = 1,
@@ -179,35 +365,107 @@ declare enum CertificateManagerState {
     Disposing = 3,
     Disposed = 4
 }
+/**
+ * Manages a GDS-compliant PKI directory structure for an OPC UA
+ * application.
+ *
+ * The PKI store layout follows the OPC UA specification:
+ *
+ * ```
+ * <location>/
+ *   ├── own/
+ *   │   ├── certs/        Own certificate(s)
+ *   │   └── private/      Own private key
+ *   ├── trusted/
+ *   │   ├── certs/        Trusted peer certificates
+ *   │   └── crl/          CRLs for trusted certs
+ *   ├── rejected/         Untrusted / rejected certificates
+ *   └── issuers/
+ *       ├── certs/        CA (issuer) certificates
+ *       └── crl/          CRLs for issuer certificates
+ * ```
+ *
+ * File-system watchers keep the in-memory indexes in sync with
+ * on-disk changes. Call {@link dispose} when the instance is no
+ * longer needed to release watchers and allow the process to
+ * exit cleanly.
+ *
+ * @example
+ * ```ts
+ * const cm = new CertificateManager({ location: "/var/pki" });
+ * await cm.initialize();
+ * const status = await cm.verifyCertificate(cert);
+ * await cm.dispose();
+ * ```
+ */
 declare class CertificateManager {
+    #private;
+    /**
+     * Dispose **all** active CertificateManager instances,
+     * closing their file watchers and freeing resources.
+     *
+     * This is mainly useful in test tear-down to ensure the
+     * Node.js process can exit cleanly.
+     */
+    static disposeAll(): Promise<void>;
+    /**
+     * Assert that all CertificateManager instances have been
+     * properly disposed. Throws an Error listing the locations
+     * of any leaked instances.
+     *
+     * Intended for use in test `afterAll()` / `afterEach()`
+     * hooks to catch missing `dispose()` calls early.
+     *
+     * @example
+     * ```ts
+     * after(() => {
+     *     CertificateManager.checkAllDisposed();
+     * });
+     * ```
+     */
+    static checkAllDisposed(): void;
+    /**
+     * When `true` (the default), any certificate that is not
+     * already in the trusted or rejected store is automatically
+     * written to the rejected folder the first time it is seen.
+     */
     untrustUnknownCertificate: boolean;
+    /** Current lifecycle state of this instance. */
     state: CertificateManagerState;
+    /** @deprecated Use {@link folderPollingInterval} instead (typo fix). */
     folderPoolingInterval: number;
+    /** Interval in milliseconds for file-system polling (when enabled). */
+    get folderPollingInterval(): number;
+    set folderPollingInterval(value: number);
+    /** RSA key size used when generating the private key. */
     readonly keySize: KeySize;
-    private readonly location;
-    private readonly _watchers;
-    private _readCertificatesCalled;
-    private readonly _filenameToHash;
-    private readonly _thumbs;
+    /**
+     * Create a new CertificateManager.
+     *
+     * The constructor creates the root directory if it does not
+     * exist but does **not** initialise the PKI store — call
+     * {@link initialize} before using any other method.
+     *
+     * @param options - configuration options
+     */
     constructor(options: CertificateManagerOptions);
+    /** Path to the OpenSSL configuration file. */
     get configFile(): string;
+    /** Root directory of the PKI store. */
     get rootDir(): string;
+    /** Path to the private key file (`own/private/private_key.pem`). */
     get privateKey(): string;
+    /** Path to the OpenSSL random seed file. */
     get randomFile(): string;
-    /**
-     * returns the certificate status trusted/rejected
-     * @param certificate
-     */
-    getCertificateStatus(certificate: Buffer): Promise<CertificateStatus>;
     /**
      * Move a certificate to the rejected store.
-     * If the certificate was previously trusted, it will be moved.
+     * If the certificate was previously trusted, it will be removed from the trusted folder.
      * @param certificate - the DER-encoded certificate
      */
     rejectCertificate(certificate: Certificate): Promise<void>;
     /**
      * Move a certificate to the trusted store.
-     * If the certificate was previously rejected, it will be moved.
+     * If the certificate was previously rejected, it will be removed from the rejected folder.
      * @param certificate - the DER-encoded certificate
      */
     trustCertificate(certificate: Certificate): Promise<void>;
@@ -221,6 +479,9 @@ declare class CertificateManager {
     get issuersCertFolder(): string;
     /** Path to the issuer CRL folder. */
     get issuersCrlFolder(): string;
+    /** Path to the own certificate folder. */
+    get ownCertFolder(): string;
+    get ownPrivateFolder(): string;
     /**
      * Check if a certificate is in the trusted store.
      * If the certificate is unknown and `untrustUnknownCertificate` is set,
@@ -230,29 +491,75 @@ declare class CertificateManager {
      *   or `"BadCertificateInvalid"` if the certificate cannot be parsed.
      */
     isCertificateTrusted(certificate: Certificate): Promise<string>;
-    _innerVerifyCertificateAsync(certificate: Certificate, _isIssuer: boolean, level: number, options: VerifyCertificateOptions): Promise<VerificationStatus>;
+    /**
+     * Internal verification hook called by {@link verifyCertificate}.
+     *
+     * Subclasses can override this to inject additional validation
+     * logic (e.g. application-level policy checks) while still
+     * delegating to the default chain/CRL/trust verification.
+     *
+     * @param certificate - the DER-encoded certificate to verify
+     * @param options - verification options forwarded from the
+     *   public API
+     * @returns the verification status code
+     */
     protected verifyCertificateAsync(certificate: Certificate, options: VerifyCertificateOptions): Promise<VerificationStatus>;
     /**
-     * Verify certificate validity
-     * @method verifyCertificate
-     * @param certificate
+     * Verify a certificate against the PKI trust store.
+     *
+     * This performs a full validation including trust status,
+     * issuer chain, CRL revocation checks, and time validity.
+     *
+     * @param certificate - the DER-encoded certificate to verify
+     * @param options - optional flags to relax validation rules
+     * @returns the verification status code
      */
     verifyCertificate(certificate: Certificate, options?: VerifyCertificateOptions): Promise<VerificationStatus>;
+    /**
+     * Initialize the PKI directory structure, generate the
+     * private key (if missing), and start file-system watchers.
+     *
+     * This method is idempotent — subsequent calls are no-ops.
+     * It must be called before any certificate operations.
+     */
     initialize(): Promise<void>;
-    private _initialize;
     /**
      * Dispose of the CertificateManager, releasing file watchers
      * and other resources. The instance should not be used after
      * calling this method.
      */
     dispose(): Promise<void>;
+    /**
+     * Force a full re-scan of all PKI folders, rebuilding
+     * the in-memory `_thumbs` index from scratch.
+     *
+     * Call this after external processes have modified the
+     * PKI folders (e.g. via `writeTrustList` or CLI tools)
+     * to ensure the CertificateManager sees the latest
+     * state without waiting for file-system events.
+     */
+    reloadCertificates(): Promise<void>;
     protected withLock2<T>(action: () => Promise<T>): Promise<T>;
     /**
+     * Create a self-signed certificate for this PKI's private key.
      *
-     * create a self-signed certificate for the CertificateManager private key
+     * The certificate is written to `params.outputFile` or
+     * `own/certs/self_signed_certificate.pem` by default.
      *
+     * @param params - certificate parameters (subject, SANs,
+     *   validity, etc.)
      */
     createSelfSignedCertificate(params: CreateSelfSignCertificateParam1): Promise<void>;
+    /**
+     * Create a Certificate Signing Request (CSR) using this
+     * PKI's private key and configuration.
+     *
+     * The CSR file is written to `own/certs/` with a timestamped
+     * filename.
+     *
+     * @param params - CSR parameters (subject, SANs)
+     * @returns the filesystem path to the generated CSR file
+     */
     createCertificateRequest(params: CreateSelfSignCertificateParam): Promise<Filename>;
     /**
      * Add a CA (issuer) certificate to the issuers store.
@@ -351,26 +658,158 @@ declare class CertificateManager {
      */
     findIssuerCertificate(certificate: Certificate): Promise<Certificate | null>;
     /**
-     * @internal
-     * @private
+     * Check whether a certificate has been revoked by its issuer's CRL.
+     *
+     * - Self-signed certificates are never considered revoked.
+     * - If no `issuerCertificate` is provided, the method attempts
+     *   to find it via {@link findIssuerCertificate}.
+     *
+     * @param certificate - the DER-encoded certificate to check
+     * @param issuerCertificate - optional issuer certificate; looked
+     *   up automatically when omitted
+     * @returns `Good` if not revoked, `BadCertificateRevoked` if the
+     *   serial number appears in a CRL,
+     *   `BadCertificateRevocationUnknown` if no CRL is available,
+     *   or `BadCertificateChainIncomplete` if the issuer cannot be
+     *   found.
      */
-    _checkRejectedOrTrusted(certificate: Buffer): Promise<CertificateStatus>;
-    private _moveCertificate;
-    private _findAssociatedCRLs;
     isCertificateRevoked(certificate: Certificate, issuerCertificate?: Certificate | null): Promise<VerificationStatus>;
-    private _pending_crl_to_process;
-    private _on_crl_process?;
-    private queue;
-    private _on_crl_file_added;
-    private _process_next_crl;
-    private _readCertificates;
-    private waitAndCheckCRLProcessingStatus;
 }
 
+/**
+ * Options for creating a PFX (PKCS#12) file.
+ */
+interface CreatePFXOptions {
+    /** Path to the certificate file (PEM or DER). */
+    certificateFile: Filename;
+    /** Path to the private key file (PEM). */
+    privateKeyFile: Filename;
+    /** Output path for the generated PFX file. */
+    outputFile: Filename;
+    /**
+     * Optional passphrase to protect the PFX file.
+     * If omitted, the PFX is created without a password.
+     */
+    passphrase?: string;
+    /**
+     * Optional path(s) to CA / intermediate certificate files
+     * to include in the PFX bundle.
+     */
+    caCertificateFiles?: Filename[];
+}
+/**
+ * Options for extracting data from a PFX (PKCS#12) file.
+ */
+interface ExtractPFXOptions {
+    /** Path to the PFX file. */
+    pfxFile: Filename;
+    /**
+     * Passphrase used when the PFX was created.
+     * Pass an empty string for unprotected PFX files.
+     */
+    passphrase?: string;
+}
+/**
+ * Result of extracting data from a PFX file.
+ */
+interface ExtractPFXResult {
+    /** The certificate in PEM format. */
+    certificate: string;
+    /** The private key in PEM format. */
+    privateKey: string;
+    /**
+     * The CA / intermediate certificates in PEM format
+     * (empty string if none).
+     */
+    caCertificates: string;
+}
+/**
+ * Create a PFX (PKCS#12) file from a certificate and private key.
+ *
+ * Wraps:
+ * ```
+ * openssl pkcs12 -export
+ *   -in <cert> -inkey <key>
+ *   [-certfile <ca>]
+ *   -out <pfx>
+ *   -passout pass:<passphrase>
+ * ```
+ *
+ * @param options — see {@link CreatePFXOptions}
+ */
+declare function createPFX(options: CreatePFXOptions): Promise<void>;
+/**
+ * Extract the client/server certificate from a PFX file.
+ *
+ * Wraps:
+ * ```
+ * openssl pkcs12 -in <pfx> -clcerts -nokeys
+ *   -passin pass:<passphrase>
+ * ```
+ *
+ * @returns the certificate in PEM format.
+ */
+declare function extractCertificateFromPFX(options: ExtractPFXOptions): Promise<string>;
+/**
+ * Extract the private key from a PFX file.
+ *
+ * Wraps:
+ * ```
+ * openssl pkcs12 -in <pfx> -nocerts -nodes
+ *   -passin pass:<passphrase>
+ * ```
+ *
+ * @returns the private key in PEM format.
+ */
+declare function extractPrivateKeyFromPFX(options: ExtractPFXOptions): Promise<string>;
+/**
+ * Extract the CA / intermediate certificates from a PFX file.
+ *
+ * Wraps:
+ * ```
+ * openssl pkcs12 -in <pfx> -cacerts -nokeys -nodes
+ *   -passin pass:<passphrase>
+ * ```
+ *
+ * @returns the CA certificates in PEM format
+ *          (empty string if none are present).
+ */
+declare function extractCACertificatesFromPFX(options: ExtractPFXOptions): Promise<string>;
+/**
+ * Extract certificate + private key + CA certs from a PFX file
+ * in a single call.
+ *
+ * @returns an {@link ExtractPFXResult} with all PEM-encoded parts.
+ */
+declare function extractAllFromPFX(options: ExtractPFXOptions): Promise<ExtractPFXResult>;
+/**
+ * Convert a PFX file to a single PEM file containing both the
+ * certificate and the private key.
+ *
+ * Wraps:
+ * ```
+ * openssl pkcs12 -in <pfx> -out <pem> -nodes
+ *   -passin pass:<passphrase>
+ * ```
+ */
+declare function convertPFXtoPEM(pfxFile: Filename, pemFile: Filename, passphrase?: string): Promise<void>;
+/**
+ * Dump the contents of a PFX file in human-readable form.
+ *
+ * Wraps:
+ * ```
+ * openssl pkcs12 -in <pfx> -info -noout
+ *   -passin pass:<passphrase>
+ * ```
+ *
+ * @returns the human-readable dump as a string.
+ */
+declare function dumpPFX(pfxFile: Filename, passphrase?: string): Promise<string>;
+
 /**
  *
  * return path to the openssl executable
  */
 declare function install_prerequisite(): Promise<string>;
 
-export { CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type Filename, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, certificateFileExist, debugLog, display, displayChapter, displayDebug, displayError, displaySubtitle, displayTitle, doDebug, findIssuerCertificateInChain, g_config, install_prerequisite, makePath, mkdirRecursiveSync, main as pki_main, quote, warningLog };
+export { CertificateAuthority, type CertificateAuthorityOptions, CertificateManager, type CertificateManagerOptions, CertificateManagerState, type CertificateStatus, type CreateCertificateSigningRequestOptions, type CreateCertificateSigningRequestWithConfigOptions, type CreatePFXOptions, type CreateSelfSignCertificateParam, type CreateSelfSignCertificateParam1, type CreateSelfSignCertificateWithConfigParam, type ExtractPFXOptions, type ExtractPFXResult, type Filename, type KeyLength, type KeySize, type Params, type ProcessAltNamesParam, type StartDateEndDateParam, type Thumbprint, VerificationStatus, type VerifyCertificateOptions, adjustApplicationUri, adjustDate, convertPFXtoPEM, createPFX, dumpPFX, extractAllFromPFX, extractCACertificatesFromPFX, extractCertificateFromPFX, extractPrivateKeyFromPFX, findIssuerCertificateInChain, install_prerequisite, quote };