node-opcua-pki 6.3.0 → 6.5.0

package/dist/index.js

@@ -37,23 +37,16 @@ __export(lib_exports, {
   VerificationStatus: () => VerificationStatus,
   adjustApplicationUri: () => adjustApplicationUri,
   adjustDate: () => adjustDate,
-  certificateFileExist: () => certificateFileExist,
-  debugLog: () => debugLog,
-  display: () => display,
-  displayChapter: () => displayChapter,
-  displayDebug: () => displayDebug,
-  displayError: () => displayError,
-  displaySubtitle: () => displaySubtitle,
-  displayTitle: () => displayTitle,
-  doDebug: () => doDebug,
+  convertPFXtoPEM: () => convertPFXtoPEM,
+  createPFX: () => createPFX,
+  dumpPFX: () => dumpPFX,
+  extractAllFromPFX: () => extractAllFromPFX,
+  extractCACertificatesFromPFX: () => extractCACertificatesFromPFX,
+  extractCertificateFromPFX: () => extractCertificateFromPFX,
+  extractPrivateKeyFromPFX: () => extractPrivateKeyFromPFX,
   findIssuerCertificateInChain: () => findIssuerCertificateInChain,
-  g_config: () => g_config,
   install_prerequisite: () => install_prerequisite,
-  makePath: () => makePath,
-  mkdirRecursiveSync: () => mkdirRecursiveSync,
-  pki_main: () => main,
-  quote: () => quote,
-  warningLog: () => warningLog
+  quote: () => quote
 });
 module.exports = __toCommonJS(lib_exports);
 
@@ -142,13 +135,6 @@ function makePath(folderName, filename) {
 
 // packages/node-opcua-pki/lib/toolbox/display.ts
 var import_chalk2 = __toESM(require("chalk"));
-function displayChapter(str) {
-  const l = "                                                                                               ";
-  warningLog(`${import_chalk2.default.bgWhite(l)} `);
-  str = `        ${str}${l}`.substring(0, l.length);
-  warningLog(import_chalk2.default.bgWhite.cyan(str));
-  warningLog(`${import_chalk2.default.bgWhite(l)} `);
-}
 function displayTitle(str) {
   if (!g_config.silent) {
     warningLog("");
@@ -647,12 +633,6 @@ function generateStaticConfig(configPath, options) {
     return temporaryConfigPath;
   }
 }
-var q = quote;
-var n2 = makePath;
-async function getPublicKeyFromPrivateKey(privateKeyFilename, publicKeyFilename) {
-  (0, import_node_assert4.default)(import_node_fs4.default.existsSync(privateKeyFilename));
-  await execute_openssl(`rsa -pubout -in ${q(n2(privateKeyFilename))} -out ${q(n2(publicKeyFilename))}`, {});
-}
 function x509Date(date) {
   date = date || /* @__PURE__ */ new Date();
   const Y = date.getUTCFullYear();
@@ -670,45 +650,6 @@ function x509Date(date) {
     return `${w(Y, 4) + w(M, 2) + w(D, 2) + w(h, 2) + w(m, 2) + w(s, 2)}Z`;
   }
 }
-async function dumpCertificate(certificate) {
-  (0, import_node_assert4.default)(import_node_fs4.default.existsSync(certificate));
-  return await execute_openssl(`x509  -in ${q(n2(certificate))} -text  -noout`, {});
-}
-async function toDer(certificatePem) {
-  (0, import_node_assert4.default)(import_node_fs4.default.existsSync(certificatePem));
-  const certificateDer = certificatePem.replace(".pem", ".der");
-  return await execute_openssl(`x509   -outform der  -in ${certificatePem} -out ${certificateDer}`, {});
-}
-async function fingerprint(certificatePem) {
-  (0, import_node_assert4.default)(import_node_fs4.default.existsSync(certificatePem));
-  return await execute_openssl(`x509   -fingerprint  -noout  -in ${certificatePem}`, {});
-}
-
-// packages/node-opcua-pki/lib/toolbox/with_openssl/create_certificate_signing_request.ts
-var q2 = quote;
-var n3 = makePath;
-async function createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFilename, params) {
-  (0, import_node_assert5.default)(params);
-  (0, import_node_assert5.default)(params.rootDir);
-  (0, import_node_assert5.default)(params.configFile);
-  (0, import_node_assert5.default)(params.privateKey);
-  (0, import_node_assert5.default)(typeof params.privateKey === "string");
-  (0, import_node_assert5.default)(import_node_fs5.default.existsSync(params.configFile), `config file must exist ${params.configFile}`);
-  (0, import_node_assert5.default)(import_node_fs5.default.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
-  (0, import_node_assert5.default)(import_node_fs5.default.existsSync(params.rootDir), "RootDir key must exist");
-  (0, import_node_assert5.default)(typeof certificateSigningRequestFilename === "string");
-  processAltNames(params);
-  const configFile = generateStaticConfig(params.configFile, { cwd: params.rootDir });
-  const options = { cwd: params.rootDir, openssl_conf: import_node_path4.default.relative(params.rootDir, configFile) };
-  const configOption = ` -config ${q2(n3(configFile))}`;
-  const subject = params.subject ? new import_node_opcua_crypto.Subject(params.subject).toString() : void 0;
-  const subjectOptions = subject ? ` -subj "${subject}"` : "";
-  displaySubtitle("- Creating a Certificate Signing Request with openssl");
-  await execute_openssl(
-    "req -new  -sha256  -batch  -text " + configOption + " -key " + q2(n3(params.privateKey)) + subjectOptions + " -out " + q2(n3(certificateSigningRequestFilename)),
-    options
-  );
-}
 
 // packages/node-opcua-pki/lib/ca/templates/ca_config_template.cnf.ts
 var config = `#.........DO NOT MODIFY BY HAND .........................
@@ -846,8 +787,8 @@ var config2 = {
   forceCA: false,
   pkiDir: "INVALID"
 };
-var n4 = makePath;
-var q3 = quote;
+var n2 = makePath;
+var q = quote;
 function octetStringToIpAddress(a) {
   return parseInt(a.substring(0, 2), 16).toString() + "." + parseInt(a.substring(2, 4), 16).toString() + "." + parseInt(a.substring(4, 6), 16).toString() + "." + parseInt(a.substring(6, 8), 16).toString();
 }
@@ -898,7 +839,7 @@ async function construct_CertificateAuthority(certificateAuthority) {
   processAltNames({});
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
-  const configOption = ` -config ${q3(n4(configFile))}`;
+  const configOption = ` -config ${q(n2(configFile))}`;
   const keySize = certificateAuthority.keySize;
   const privateKeyFilename = import_node_path5.default.join(caRootDir, "private/cakey.pem");
   const csrFilename = import_node_path5.default.join(caRootDir, "private/cakey.csr");
@@ -906,12 +847,12 @@ async function construct_CertificateAuthority(certificateAuthority) {
   await (0, import_node_opcua_crypto2.generatePrivateKeyFile)(privateKeyFilename, keySize);
   displayTitle("Generate a certificate request for the CA key");
   await execute_openssl(
-    "req -new -sha256  -text  -extensions v3_ca" + configOption + " -key " + q3(n4(privateKeyFilename)) + " -out " + q3(n4(csrFilename)) + " " + subjectOpt,
+    "req -new -sha256  -text  -extensions v3_ca" + configOption + " -key " + q(n2(privateKeyFilename)) + " -out " + q(n2(csrFilename)) + " " + subjectOpt,
     options
   );
   displayTitle("Generate CA Certificate (self-signed)");
   await execute_openssl(
-    " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q3(n4(configFile)) + " -in private/cakey.csr  -signkey " + q3(n4(privateKeyFilename)) + " -out public/cacert.pem",
+    " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q(n2(configFile)) + " -in private/cakey.csr  -signkey " + q(n2(privateKeyFilename)) + " -out public/cacert.pem",
     options
   );
   displaySubtitle("generate initial CRL (Certificate Revocation List)");
@@ -923,11 +864,14 @@ async function regenerateCrl(revocationList, configOption, options) {
   await execute_openssl(`ca -gencrl ${configOption} -out crl/revocation_list.crl`, options);
   await execute_openssl("crl  -in  crl/revocation_list.crl -out  crl/revocation_list.der  -outform der", options);
   displaySubtitle("Display (Certificate Revocation List)");
-  await execute_openssl(`crl  -in ${q3(n4(revocationList))} -text  -noout`, options);
+  await execute_openssl(`crl  -in ${q(n2(revocationList))} -text  -noout`, options);
 }
 var CertificateAuthority = class {
+  /** RSA key size used when generating the CA private key. */
   keySize;
+  /** Root filesystem path of the CA directory structure. */
   location;
+  /** X.500 subject of the CA certificate. */
   subject;
   constructor(options) {
     (0, import_node_assert6.default)(Object.prototype.hasOwnProperty.call(options, "location"));
@@ -936,33 +880,54 @@ var CertificateAuthority = class {
     this.keySize = options.keySize || 2048;
     this.subject = new import_node_opcua_crypto2.Subject(options.subject || defaultSubject);
   }
+  /** Absolute path to the CA root directory (alias for {@link location}). */
   get rootDir() {
     return this.location;
   }
+  /** Path to the OpenSSL configuration file (`conf/caconfig.cnf`). */
   get configFile() {
     return import_node_path5.default.normalize(import_node_path5.default.join(this.rootDir, "./conf/caconfig.cnf"));
   }
+  /** Path to the CA certificate in PEM format (`public/cacert.pem`). */
   get caCertificate() {
     return makePath(this.rootDir, "./public/cacert.pem");
   }
   /**
-   * the file name where  the current Certificate Revocation List is stored (in DER format)
+   * Path to the current Certificate Revocation List in DER format.
+   * (`crl/revocation_list.der`)
    */
   get revocationListDER() {
     return makePath(this.rootDir, "./crl/revocation_list.der");
   }
   /**
-   * the file name where  the current Certificate Revocation List is stored (in PEM format)
+   * Path to the current Certificate Revocation List in PEM format.
+   * (`crl/revocation_list.crl`)
    */
   get revocationList() {
     return makePath(this.rootDir, "./crl/revocation_list.crl");
   }
+  /**
+   * Path to the concatenated CA certificate + CRL file.
+   * Used by OpenSSL for CRL-based verification.
+   */
   get caCertificateWithCrl() {
     return makePath(this.rootDir, "./public/cacertificate_with_crl.pem");
   }
+  /**
+   * Initialize the CA directory structure, generate the CA
+   * private key and self-signed certificate if they do not
+   * already exist.
+   */
   async initialize() {
     await construct_CertificateAuthority(this);
   }
+  /**
+   * Rebuild the combined CA certificate + CRL file.
+   *
+   * This concatenates the CA certificate with the current
+   * revocation list so that OpenSSL can verify certificates
+   * with CRL checking enabled.
+   */
   async constructCACertificateWithCRL() {
     const cacertWithCRL = this.caCertificateWithCrl;
     if (import_node_fs6.default.existsSync(this.revocationList)) {
@@ -974,6 +939,12 @@ var CertificateAuthority = class {
       await import_node_fs6.default.promises.writeFile(cacertWithCRL, import_node_fs6.default.readFileSync(this.caCertificate));
     }
   }
+  /**
+   * Append the CA certificate to a signed certificate file,
+   * creating a PEM certificate chain.
+   *
+   * @param certificate - path to the certificate file to extend
+   */
   async constructCertificateChain(certificate) {
     (0, import_node_assert6.default)(import_node_fs6.default.existsSync(certificate));
     (0, import_node_assert6.default)(import_node_fs6.default.existsSync(this.caCertificate));
@@ -984,6 +955,13 @@ var CertificateAuthority = class {
       //   + fs.readFileSync(this.revocationList)
     );
   }
+  /**
+   * Create a self-signed certificate using OpenSSL.
+   *
+   * @param certificateFile - output path for the signed certificate
+   * @param privateKey - path to the private key file
+   * @param params - certificate parameters (subject, validity, SANs)
+   */
   async createSelfSignedCertificate(certificateFile, privateKey, params) {
     (0, import_node_assert6.default)(typeof privateKey === "string");
     (0, import_node_assert6.default)(import_node_fs6.default.existsSync(privateKey));
@@ -1005,28 +983,27 @@ var CertificateAuthority = class {
     const subjectOptions = subject && subject.length > 1 ? ` -subj ${subject} ` : "";
     displaySubtitle("- the certificate signing request");
     await execute_openssl(
-      "req  -new -sha256 -text " + configOption + subjectOptions + " -batch -key " + q3(n4(privateKey)) + " -out " + q3(n4(csrFile)),
+      "req  -new -sha256 -text " + configOption + subjectOptions + " -batch -key " + q(n2(privateKey)) + " -out " + q(n2(csrFile)),
       options
     );
     displaySubtitle("- creating the self-signed certificate");
     await execute_openssl(
-      "ca  -selfsign  -keyfile " + q3(n4(privateKey)) + " -startdate " + x509Date(params.startDate) + " -enddate " + x509Date(params.endDate) + " -batch -out " + q3(n4(certificateFile)) + " -in " + q3(n4(csrFile)),
+      "ca  -selfsign  -keyfile " + q(n2(privateKey)) + " -startdate " + x509Date(params.startDate) + " -enddate " + x509Date(params.endDate) + " -batch -out " + q(n2(certificateFile)) + " -in " + q(n2(csrFile)),
       options
     );
     displaySubtitle("- dump the certificate for a check");
-    await execute_openssl(`x509 -in ${q3(n4(certificateFile))}  -dates -fingerprint -purpose -noout`, {});
+    await execute_openssl(`x509 -in ${q(n2(certificateFile))}  -dates -fingerprint -purpose -noout`, {});
     displaySubtitle("- verify self-signed certificate");
-    await execute_openssl_no_failure(`verify -verbose -CAfile ${q3(n4(certificateFile))} ${q3(n4(certificateFile))}`, options);
+    await execute_openssl_no_failure(`verify -verbose -CAfile ${q(n2(certificateFile))} ${q(n2(certificateFile))}`, options);
     await import_node_fs6.default.promises.unlink(csrFile);
   }
   /**
-   * revoke a certificate and update the CRL
+   * Revoke a certificate and regenerate the CRL.
    *
-   * @method revokeCertificate
-   * @param certificate -  the certificate to revoke
-   * @param params
-   * @param [params.reason = "keyCompromise" {String}]
-   * @async
+   * @param certificate - path to the certificate file to revoke
+   * @param params - revocation parameters
+   * @param params.reason - CRL reason code
+   *   (default `"keyCompromise"`)
    */
   async revokeCertificate(certificate, params) {
     const crlReasons = [
@@ -1047,31 +1024,34 @@ var CertificateAuthority = class {
     setEnv("ALTNAME", "");
     const randomFile = import_node_path5.default.join(this.rootDir, "random.rnd");
     setEnv("RANDFILE", randomFile);
-    const configOption = ` -config ${q3(n4(configFile))}`;
+    const configOption = ` -config ${q(n2(configFile))}`;
     const reason = params.reason || "keyCompromise";
     (0, import_node_assert6.default)(crlReasons.indexOf(reason) >= 0);
     displayTitle(`Revoking certificate  ${certificate}`);
     displaySubtitle("Revoke certificate");
-    await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q3(certificate)} -crl_reason ${reason}`, options);
+    await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q(certificate)} -crl_reason ${reason}`, options);
     await regenerateCrl(this.revocationList, configOption, options);
     displaySubtitle("Verify that certificate is revoked");
     await execute_openssl_no_failure(
-      "verify -verbose -CRLfile " + q3(n4(this.revocationList)) + " -CAfile " + q3(n4(this.caCertificate)) + " -crl_check " + q3(n4(certificate)),
+      "verify -verbose -CRLfile " + q(n2(this.revocationList)) + " -CAfile " + q(n2(this.caCertificate)) + " -crl_check " + q(n2(certificate)),
       options
     );
     displaySubtitle("Produce CRL in DER form ");
-    await execute_openssl(`crl  -in ${q3(n4(this.revocationList))} -out crl/revocation_list.der  -outform der`, options);
+    await execute_openssl(`crl  -in ${q(n2(this.revocationList))} -out crl/revocation_list.der  -outform der`, options);
     displaySubtitle("Produce CRL in PEM form ");
-    await execute_openssl(`crl  -in ${q3(n4(this.revocationList))} -out crl/revocation_list.pem  -outform pem -text `, options);
+    await execute_openssl(`crl  -in ${q(n2(this.revocationList))} -out crl/revocation_list.pem  -outform pem -text `, options);
   }
   /**
+   * Sign a Certificate Signing Request (CSR) with this CA.
+   *
+   * The signed certificate is written to `certificate`, and the
+   * CA certificate chain plus CRL are appended to form a
+   * complete certificate chain.
    *
-   * @param certificate            - the certificate filename to generate
-   * @param certificateSigningRequestFilename   - the certificate signing request
-   * @param params                 - parameters
-   * @param params.applicationUri  - the applicationUri
-   * @param params.startDate       - startDate of the certificate
-   * @param params.validity        - number of day of validity of the certificate
+   * @param certificate - output path for the signed certificate
+   * @param certificateSigningRequestFilename - path to the CSR
+   * @param params1 - signing parameters (validity, dates, SANs)
+   * @returns the path to the signed certificate
    */
   async signCertificateRequest(certificate, certificateSigningRequestFilename, params1) {
     await ensure_openssl_installed();
@@ -1089,12 +1069,12 @@ var CertificateAuthority = class {
     if (typeof applicationUri !== "string") {
       throw new Error("Cannot find applicationUri in CSR");
     }
-    const dns2 = csrInfo.extensionRequest.subjectAltName.dNSName || [];
+    const dns = csrInfo.extensionRequest.subjectAltName.dNSName || [];
     let ip = csrInfo.extensionRequest.subjectAltName.iPAddress || [];
     ip = ip.map(octetStringToIpAddress);
     const params = {
       applicationUri,
-      dns: dns2,
+      dns,
       ip
     };
     processAltNames(params);
@@ -1102,11 +1082,11 @@ var CertificateAuthority = class {
     displaySubtitle("- then we ask the authority to sign the certificate signing request");
     const configOption = ` -config ${configFile}`;
     await execute_openssl(
-      "ca " + configOption + " -startdate " + x509Date(params1.startDate) + " -enddate " + x509Date(params1.endDate) + " -batch -out " + q3(n4(certificate)) + " -in " + q3(n4(certificateSigningRequestFilename)),
+      "ca " + configOption + " -startdate " + x509Date(params1.startDate) + " -enddate " + x509Date(params1.endDate) + " -batch -out " + q(n2(certificate)) + " -in " + q(n2(certificateSigningRequestFilename)),
       options
     );
     displaySubtitle("- dump the certificate for a check");
-    await execute_openssl(`x509 -in ${q3(n4(certificate))}  -dates -fingerprint -purpose -noout`, options);
+    await execute_openssl(`x509 -in ${q(n2(certificate))}  -dates -fingerprint -purpose -noout`, options);
     displaySubtitle("- construct CA certificate with CRL");
     await this.constructCACertificateWithCRL();
     displaySubtitle("- construct certificate chain");
@@ -1115,6 +1095,11 @@ var CertificateAuthority = class {
     await this.verifyCertificate(certificate);
     return certificate;
   }
+  /**
+   * Verify a certificate against this CA.
+   *
+   * @param certificate - path to the certificate file to verify
+   */
   async verifyCertificate(certificate) {
     const isImplemented = false;
     if (isImplemented) {
@@ -1124,96 +1109,14 @@ var CertificateAuthority = class {
       const _configOption = ` -config ${configFile}`;
       _configOption;
       await execute_openssl_no_failure(
-        `verify -verbose  -CAfile ${q3(n4(this.caCertificateWithCrl))} ${q3(n4(certificate))}`,
+        `verify -verbose  -CAfile ${q(n2(this.caCertificateWithCrl))} ${q(n2(certificate))}`,
         options
       );
     }
   }
 };
 
-// packages/node-opcua-pki/lib/ca/crypto_create_CA.ts
-var import_node_assert11 = __toESM(require("assert"));
-var import_node_fs10 = __toESM(require("fs"));
-var import_node_module = require("module");
-var import_node_os4 = __toESM(require("os"));
-var import_node_path7 = __toESM(require("path"));
-var import_chalk7 = __toESM(require("chalk"));
-var import_node_opcua_crypto6 = require("node-opcua-crypto");
-
-// packages/node-opcua-pki/lib/misc/applicationurn.ts
-var import_node_assert7 = __toESM(require("assert"));
-var import_node_crypto = require("crypto");
-function makeApplicationUrn(hostname, suffix) {
-  let hostnameHash = hostname;
-  if (hostnameHash.length + 7 + suffix.length >= 64) {
-    hostnameHash = (0, import_node_crypto.createHash)("md5").update(hostname).digest("hex").substring(0, 16);
-  }
-  const applicationUrn = `urn:${hostnameHash}:${suffix}`;
-  (0, import_node_assert7.default)(applicationUrn.length <= 64);
-  return applicationUrn;
-}
-
-// packages/node-opcua-pki/lib/misc/hostname.ts
-var import_node_dns = __toESM(require("dns"));
-var import_node_os3 = __toESM(require("os"));
-var import_node_util = require("util");
-function trim(str, length) {
-  if (!length) {
-    return str;
-  }
-  return str.substring(0, Math.min(str.length, length));
-}
-function fqdn(callback) {
-  const uqdn = import_node_os3.default.hostname();
-  import_node_dns.default.lookup(uqdn, { hints: import_node_dns.default.ADDRCONFIG }, (err1, ip) => {
-    if (err1) {
-      return callback(err1);
-    }
-    import_node_dns.default.lookupService(ip, 0, (err2, _fqdn) => {
-      if (err2) {
-        return callback(err2);
-      }
-      _fqdn = _fqdn.replace(".localdomain", "");
-      callback(null, _fqdn);
-    });
-  });
-}
-var _fullyQualifiedDomainNameInCache;
-async function extractFullyQualifiedDomainName() {
-  if (_fullyQualifiedDomainNameInCache) {
-    return _fullyQualifiedDomainNameInCache;
-  }
-  if (process.platform === "win32") {
-    const env = process.env;
-    _fullyQualifiedDomainNameInCache = env.COMPUTERNAME + (env.USERDNSDOMAIN && env.USERDNSDOMAIN?.length > 0 ? `.${env.USERDNSDOMAIN}` : "");
-  } else {
-    try {
-      _fullyQualifiedDomainNameInCache = await (0, import_node_util.promisify)(fqdn)();
-      if (_fullyQualifiedDomainNameInCache === "localhost") {
-        throw new Error("localhost not expected");
-      }
-      if (/sethostname/.test(_fullyQualifiedDomainNameInCache)) {
-        throw new Error("Detecting fqdn  on windows !!!");
-      }
-    } catch (_err) {
-      _fullyQualifiedDomainNameInCache = import_node_os3.default.hostname();
-    }
-  }
-  return _fullyQualifiedDomainNameInCache;
-}
-async function prepareFQDN() {
-  _fullyQualifiedDomainNameInCache = await extractFullyQualifiedDomainName();
-}
-function getFullyQualifiedDomainName(optional_max_length) {
-  if (!_fullyQualifiedDomainNameInCache) {
-    throw new Error("FullyQualifiedDomainName computation is not completed yet");
-  }
-  return _fullyQualifiedDomainNameInCache ? trim(_fullyQualifiedDomainNameInCache, optional_max_length) : "%FQDN%";
-}
-prepareFQDN();
-
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
-var import_node_assert10 = __toESM(require("assert"));
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path6 = __toESM(require("path"));
 var import_global_mutex = require("@ster5/global-mutex");
@@ -1222,18 +1125,18 @@ var import_chokidar = __toESM(require("chokidar"));
 var import_node_opcua_crypto5 = require("node-opcua-crypto");
 
 // packages/node-opcua-pki/lib/toolbox/without_openssl/create_certificate_signing_request.ts
-var import_node_assert8 = __toESM(require("assert"));
+var import_node_assert7 = __toESM(require("assert"));
 var import_node_fs7 = __toESM(require("fs"));
 var import_node_opcua_crypto3 = require("node-opcua-crypto");
 async function createCertificateSigningRequestAsync(certificateSigningRequestFilename, params) {
-  (0, import_node_assert8.default)(params);
-  (0, import_node_assert8.default)(params.rootDir);
-  (0, import_node_assert8.default)(params.configFile);
-  (0, import_node_assert8.default)(params.privateKey);
-  (0, import_node_assert8.default)(typeof params.privateKey === "string");
-  (0, import_node_assert8.default)(import_node_fs7.default.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
-  (0, import_node_assert8.default)(import_node_fs7.default.existsSync(params.rootDir), "RootDir key must exist");
-  (0, import_node_assert8.default)(typeof certificateSigningRequestFilename === "string");
+  (0, import_node_assert7.default)(params);
+  (0, import_node_assert7.default)(params.rootDir);
+  (0, import_node_assert7.default)(params.configFile);
+  (0, import_node_assert7.default)(params.privateKey);
+  (0, import_node_assert7.default)(typeof params.privateKey === "string");
+  (0, import_node_assert7.default)(import_node_fs7.default.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
+  (0, import_node_assert7.default)(import_node_fs7.default.existsSync(params.rootDir), "RootDir key must exist");
+  (0, import_node_assert7.default)(typeof certificateSigningRequestFilename === "string");
   const subject = params.subject ? new import_node_opcua_crypto3.Subject(params.subject).toString() : void 0;
   displaySubtitle("- Creating a Certificate Signing Request with subtile");
   const privateKeyPem = await import_node_fs7.default.promises.readFile(params.privateKey, "utf-8");
@@ -1252,22 +1155,22 @@ async function createCertificateSigningRequestAsync(certificateSigningRequestFil
 }
 
 // packages/node-opcua-pki/lib/toolbox/without_openssl/create_self_signed_certificate.ts
-var import_node_assert9 = __toESM(require("assert"));
+var import_node_assert8 = __toESM(require("assert"));
 var import_node_fs8 = __toESM(require("fs"));
 var import_node_opcua_crypto4 = require("node-opcua-crypto");
 async function createSelfSignedCertificateAsync(certificate, params) {
   params.purpose = params.purpose || import_node_opcua_crypto4.CertificatePurpose.ForApplication;
-  (0, import_node_assert9.default)(params.purpose, "Please provide a Certificate Purpose");
-  (0, import_node_assert9.default)(import_node_fs8.default.existsSync(params.configFile));
-  (0, import_node_assert9.default)(import_node_fs8.default.existsSync(params.rootDir));
-  (0, import_node_assert9.default)(import_node_fs8.default.existsSync(params.privateKey));
+  (0, import_node_assert8.default)(params.purpose, "Please provide a Certificate Purpose");
+  (0, import_node_assert8.default)(import_node_fs8.default.existsSync(params.configFile));
+  (0, import_node_assert8.default)(import_node_fs8.default.existsSync(params.rootDir));
+  (0, import_node_assert8.default)(import_node_fs8.default.existsSync(params.privateKey));
   if (!params.subject) {
     throw Error("Missing subject");
   }
-  (0, import_node_assert9.default)(typeof params.applicationUri === "string");
-  (0, import_node_assert9.default)(Array.isArray(params.dns));
+  (0, import_node_assert8.default)(typeof params.applicationUri === "string");
+  (0, import_node_assert8.default)(Array.isArray(params.dns));
   adjustDate(params);
-  (0, import_node_assert9.default)(Object.prototype.hasOwnProperty.call(params, "validity"));
+  (0, import_node_assert8.default)(Object.prototype.hasOwnProperty.call(params, "validity"));
   let subject = new import_node_opcua_crypto4.Subject(params.subject);
   subject = subject.toString();
   const purpose = params.purpose;
@@ -1298,6 +1201,12 @@ var simple_config_template_cnf_default = config3;
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
 var configurationFileSimpleTemplate = simple_config_template_cnf_default;
 var fsWriteFile = import_node_fs9.default.promises.writeFile;
+function getOrComputeInfo(entry) {
+  if (!entry.info) {
+    entry.info = (0, import_node_opcua_crypto5.exploreCertificate)(entry.certificate);
+  }
+  return entry.info;
+}
 var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   VerificationStatus2["BadCertificateInvalid"] = "BadCertificateInvalid";
   VerificationStatus2["BadSecurityChecksFailed"] = "BadSecurityChecksFailed";
@@ -1318,28 +1227,28 @@ var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   return VerificationStatus2;
 })(VerificationStatus || {});
 function makeFingerprint(certificate) {
-  return (0, import_node_opcua_crypto5.makeSHA1Thumbprint)(certificate).toString("hex");
+  const chain = (0, import_node_opcua_crypto5.split_der)(certificate);
+  return (0, import_node_opcua_crypto5.makeSHA1Thumbprint)(chain[0]).toString("hex");
 }
 function short(stringToShorten) {
   return stringToShorten.substring(0, 10);
 }
 var forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
 function buildIdealCertificateName(certificate) {
-  const fingerprint2 = makeFingerprint(certificate);
+  const fingerprint = makeFingerprint(certificate);
   try {
     const commonName = (0, import_node_opcua_crypto5.exploreCertificate)(certificate).tbsCertificate.subject.commonName || "";
     const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
-    return `${sanitizedCommonName}[${fingerprint2}]`;
+    return `${sanitizedCommonName}[${fingerprint}]`;
   } catch (_err) {
-    return `invalid_certificate_[${fingerprint2}]`;
+    return `invalid_certificate_[${fingerprint}]`;
   }
 }
 function findMatchingIssuerKey(entries, wantedIssuerKey) {
-  const selected = entries.filter(({ certificate }) => {
-    const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+  return entries.filter((entry) => {
+    const info = getOrComputeInfo(entry);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
-  return selected;
 }
 function isSelfSigned2(info) {
   return info.tbsCertificate.extensions?.subjectKeyIdentifier === info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
@@ -1382,84 +1291,157 @@ var CertificateManagerState = /* @__PURE__ */ ((CertificateManagerState2) => {
   CertificateManagerState2[CertificateManagerState2["Disposed"] = 4] = "Disposed";
   return CertificateManagerState2;
 })(CertificateManagerState || {});
-var CertificateManager = class {
+var CertificateManager = class _CertificateManager {
+  // ── Global instance registry ─────────────────────────────────
+  // Tracks all initialized CertificateManager instances so their
+  // file watchers can be closed automatically on process exit,
+  // even if the consumer forgets to call dispose().
+  static #activeInstances = /* @__PURE__ */ new Set();
+  static #cleanupInstalled = false;
+  static #installProcessCleanup() {
+    if (_CertificateManager.#cleanupInstalled) return;
+    _CertificateManager.#cleanupInstalled = true;
+    const closeDanglingWatchers = () => {
+      for (const cm of _CertificateManager.#activeInstances) {
+        for (const w of cm.#watchers) {
+          try {
+            w.close();
+          } catch {
+          }
+        }
+        cm.#watchers.splice(0);
+        cm.state = 4 /* Disposed */;
+      }
+      _CertificateManager.#activeInstances.clear();
+    };
+    process.on("beforeExit", closeDanglingWatchers);
+    for (const signal of ["SIGINT", "SIGTERM"]) {
+      process.once(signal, () => {
+        closeDanglingWatchers();
+        process.exit();
+      });
+    }
+  }
+  /**
+   * Dispose **all** active CertificateManager instances,
+   * closing their file watchers and freeing resources.
+   *
+   * This is mainly useful in test tear-down to ensure the
+   * Node.js process can exit cleanly.
+   */
+  static async disposeAll() {
+    const instances = [..._CertificateManager.#activeInstances];
+    await Promise.all(instances.map((cm) => cm.dispose()));
+  }
+  /**
+   * Assert that all CertificateManager instances have been
+   * properly disposed. Throws an Error listing the locations
+   * of any leaked instances.
+   *
+   * Intended for use in test `afterAll()` / `afterEach()`
+   * hooks to catch missing `dispose()` calls early.
+   *
+   * @example
+   * ```ts
+   * after(() => {
+   *     CertificateManager.checkAllDisposed();
+   * });
+   * ```
+   */
+  static checkAllDisposed() {
+    if (_CertificateManager.#activeInstances.size === 0) return;
+    const locations = [..._CertificateManager.#activeInstances].map((cm) => cm.rootDir);
+    throw new Error(
+      `${_CertificateManager.#activeInstances.size} CertificateManager instance(s) not disposed:
+  - ${locations.join("\n  - ")}`
+    );
+  }
+  // ─────────────────────────────────────────────────────────────
+  /**
+   * When `true` (the default), any certificate that is not
+   * already in the trusted or rejected store is automatically
+   * written to the rejected folder the first time it is seen.
+   */
   untrustUnknownCertificate = true;
+  /** Current lifecycle state of this instance. */
   state = 0 /* Uninitialized */;
+  /** @deprecated Use {@link folderPollingInterval} instead (typo fix). */
   folderPoolingInterval = 5e3;
+  /** Interval in milliseconds for file-system polling (when enabled). */
+  get folderPollingInterval() {
+    return this.folderPoolingInterval;
+  }
+  set folderPollingInterval(value) {
+    this.folderPoolingInterval = value;
+  }
+  /** RSA key size used when generating the private key. */
   keySize;
-  location;
-  _watchers = [];
-  _readCertificatesCalled = false;
-  _filenameToHash = {};
-  _thumbs = {
-    rejected: {},
-    trusted: {},
+  #location;
+  #watchers = [];
+  #readCertificatesCalled = false;
+  #filenameToHash = /* @__PURE__ */ new Map();
+  #initializingPromise;
+  #thumbs = {
+    rejected: /* @__PURE__ */ new Map(),
+    trusted: /* @__PURE__ */ new Map(),
     issuers: {
-      certs: {}
+      certs: /* @__PURE__ */ new Map()
     },
-    crl: {},
-    issuersCrl: {}
+    crl: /* @__PURE__ */ new Map(),
+    issuersCrl: /* @__PURE__ */ new Map()
   };
+  /**
+   * Create a new CertificateManager.
+   *
+   * The constructor creates the root directory if it does not
+   * exist but does **not** initialise the PKI store — call
+   * {@link initialize} before using any other method.
+   *
+   * @param options - configuration options
+   */
   constructor(options) {
     options.keySize = options.keySize || 2048;
-    (0, import_node_assert10.default)(Object.prototype.hasOwnProperty.call(options, "location"));
-    (0, import_node_assert10.default)(Object.prototype.hasOwnProperty.call(options, "keySize"));
-    (0, import_node_assert10.default)(this.state === 0 /* Uninitialized */);
-    this.location = makePath(options.location, "");
+    if (!options.location) {
+      throw new Error("CertificateManager: missing 'location' option");
+    }
+    this.#location = makePath(options.location, "");
     this.keySize = options.keySize;
     mkdirRecursiveSync(options.location);
-    if (!import_node_fs9.default.existsSync(this.location)) {
-      throw new Error(`CertificateManager cannot access location ${this.location}`);
+    if (!import_node_fs9.default.existsSync(this.#location)) {
+      throw new Error(`CertificateManager cannot access location ${this.#location}`);
     }
   }
+  /** Path to the OpenSSL configuration file. */
   get configFile() {
     return import_node_path6.default.join(this.rootDir, "own/openssl.cnf");
   }
+  /** Root directory of the PKI store. */
   get rootDir() {
-    return this.location;
+    return this.#location;
   }
+  /** Path to the private key file (`own/private/private_key.pem`). */
   get privateKey() {
     return import_node_path6.default.join(this.rootDir, "own/private/private_key.pem");
   }
+  /** Path to the OpenSSL random seed file. */
   get randomFile() {
     return import_node_path6.default.join(this.rootDir, "./random.rnd");
   }
-  /**
-   * returns the certificate status trusted/rejected
-   * @param certificate
-   */
-  async getCertificateStatus(certificate) {
-    await this.initialize();
-    let status = await this._checkRejectedOrTrusted(certificate);
-    if (status === "unknown") {
-      (0, import_node_assert10.default)(certificate instanceof Buffer);
-      const pem = (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE");
-      const fingerprint2 = makeFingerprint(certificate);
-      const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
-      await import_node_fs9.default.promises.writeFile(filename, pem);
-      this._thumbs.rejected[fingerprint2] = {
-        certificate,
-        filename
-      };
-      status = "rejected";
-    }
-    return status;
-  }
   /**
    * Move a certificate to the rejected store.
-   * If the certificate was previously trusted, it will be moved.
+   * If the certificate was previously trusted, it will be removed from the trusted folder.
    * @param certificate - the DER-encoded certificate
    */
   async rejectCertificate(certificate) {
-    await this._moveCertificate(certificate, "rejected");
+    await this.#moveCertificate(certificate, "rejected");
   }
   /**
    * Move a certificate to the trusted store.
-   * If the certificate was previously rejected, it will be moved.
+   * If the certificate was previously rejected, it will be removed from the rejected folder.
    * @param certificate - the DER-encoded certificate
    */
   async trustCertificate(certificate) {
-    await this._moveCertificate(certificate, "trusted");
+    await this.#moveCertificate(certificate, "trusted");
   }
   /** Path to the rejected certificates folder. */
   get rejectedFolder() {
@@ -1481,6 +1463,13 @@ var CertificateManager = class {
   get issuersCrlFolder() {
     return import_node_path6.default.join(this.rootDir, "issuers/crl");
   }
+  /** Path to the own certificate folder. */
+  get ownCertFolder() {
+    return import_node_path6.default.join(this.rootDir, "own/certs");
+  }
+  get ownPrivateFolder() {
+    return import_node_path6.default.join(this.rootDir, "own/private");
+  }
   /**
    * Check if a certificate is in the trusted store.
    * If the certificate is unknown and `untrustUnknownCertificate` is set,
@@ -1490,33 +1479,27 @@ var CertificateManager = class {
    *   or `"BadCertificateInvalid"` if the certificate cannot be parsed.
    */
   async isCertificateTrusted(certificate) {
-    const fingerprint2 = makeFingerprint(certificate);
-    const certificateInTrust = this._thumbs.trusted[fingerprint2]?.certificate;
-    if (certificateInTrust) {
+    const fingerprint = makeFingerprint(certificate);
+    if (this.#thumbs.trusted.has(fingerprint)) {
       return "Good";
-    } else {
-      const certificateInRejected = this._thumbs.rejected[fingerprint2];
-      if (!certificateInRejected) {
-        const certificateFilenameInRejected = import_node_path6.default.join(
-          this.rejectedFolder,
-          `${buildIdealCertificateName(certificate)}.pem`
-        );
-        if (!this.untrustUnknownCertificate) {
-          return "Good";
-        }
-        try {
-          const _certificateInfo = (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
-          _certificateInfo;
-        } catch (_err) {
-          return "BadCertificateInvalid";
-        }
-        debugLog("certificate has never been seen before and is now rejected (untrusted) ", certificateFilenameInRejected);
-        await fsWriteFile(certificateFilenameInRejected, (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE"));
+    }
+    if (!this.#thumbs.rejected.has(fingerprint)) {
+      if (!this.untrustUnknownCertificate) {
+        return "Good";
       }
-      return "BadCertificateUntrusted";
+      try {
+        (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
+      } catch (_err) {
+        return "BadCertificateInvalid";
+      }
+      const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
+      debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
+      await fsWriteFile(filename, (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE"));
+      this.#thumbs.rejected.set(fingerprint, { certificate, filename });
     }
+    return "BadCertificateUntrusted";
   }
-  async _innerVerifyCertificateAsync(certificate, _isIssuer, level, options) {
+  async #innerVerifyCertificateAsync(certificate, _isIssuer, level, options) {
     if (level >= 5) {
       return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
     }
@@ -1551,7 +1534,7 @@ var CertificateManager = class {
         } else {
           debugLog(" the issuer certificate has been found in the issuer.cert folder !");
         }
-        const issuerStatus = await this._innerVerifyCertificateAsync(issuerCertificate, true, level + 1, options);
+        const issuerStatus = await this.#innerVerifyCertificateAsync(issuerCertificate, true, level + 1, options);
         if (issuerStatus === "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */) {
           return "BadCertificateIssuerRevocationUnknown" /* BadCertificateIssuerRevocationUnknown */;
         }
@@ -1585,7 +1568,7 @@ var CertificateManager = class {
           debugLog("revokedStatus", revokedStatus);
           return revokedStatus;
         }
-        const issuerTrustedStatus = await this._checkRejectedOrTrusted(issuerCertificate);
+        const issuerTrustedStatus = await this.#checkRejectedOrTrusted(issuerCertificate);
         debugLog("issuerTrustedStatus", issuerTrustedStatus);
         if (issuerTrustedStatus === "unknown") {
           hasTrustedIssuer = false;
@@ -1604,12 +1587,14 @@ var CertificateManager = class {
         debugLog("revokedStatus of self signed certificate:", revokedStatus);
       }
     }
-    const status = await this._checkRejectedOrTrusted(certificate);
+    const status = await this.#checkRejectedOrTrusted(certificate);
     if (status === "rejected") {
-      return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
+      if (!(options.acceptCertificateWithValidIssuerChain && hasValidIssuer && hasTrustedIssuer)) {
+        return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
+      }
     }
     const _c2 = chain[1] ? (0, import_node_opcua_crypto5.exploreCertificateInfo)(chain[1]) : "non";
-    _c2;
+    debugLog("chain[1] info=", _c2);
     const certificateInfo = (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
     const now = /* @__PURE__ */ new Date();
     let isTimeInvalid = false;
@@ -1632,7 +1617,6 @@ var CertificateManager = class {
     if (status === "trusted") {
       return isTimeInvalid ? "BadCertificateTimeInvalid" /* BadCertificateTimeInvalid */ : "Good" /* Good */;
     }
-    (0, import_node_assert10.default)(status === "unknown");
     if (hasIssuerKey) {
       if (!hasTrustedIssuer) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
@@ -1640,47 +1624,74 @@ var CertificateManager = class {
       if (!hasValidIssuer) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
       }
+      if (!options.acceptCertificateWithValidIssuerChain) {
+        return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
+      }
       return isTimeInvalid ? "BadCertificateTimeInvalid" /* BadCertificateTimeInvalid */ : "Good" /* Good */;
     } else {
       return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
     }
   }
+  /**
+   * Internal verification hook called by {@link verifyCertificate}.
+   *
+   * Subclasses can override this to inject additional validation
+   * logic (e.g. application-level policy checks) while still
+   * delegating to the default chain/CRL/trust verification.
+   *
+   * @param certificate - the DER-encoded certificate to verify
+   * @param options - verification options forwarded from the
+   *   public API
+   * @returns the verification status code
+   */
   async verifyCertificateAsync(certificate, options) {
-    const status1 = await this._innerVerifyCertificateAsync(certificate, false, 0, options);
+    const status1 = await this.#innerVerifyCertificateAsync(certificate, false, 0, options);
     return status1;
   }
   /**
-   * Verify certificate validity
-   * @method verifyCertificate
-   * @param certificate
+   * Verify a certificate against the PKI trust store.
+   *
+   * This performs a full validation including trust status,
+   * issuer chain, CRL revocation checks, and time validity.
+   *
+   * @param certificate - the DER-encoded certificate to verify
+   * @param options - optional flags to relax validation rules
+   * @returns the verification status code
    */
   async verifyCertificate(certificate, options) {
     if (!certificate) {
       return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
     }
-    return await this.verifyCertificateAsync(certificate, options || {});
+    try {
+      const status = await this.verifyCertificateAsync(certificate, options || {});
+      return status;
+    } catch (error) {
+      warningLog(`verifyCertificate error: ${error.message}`);
+      return "BadCertificateInvalid" /* BadCertificateInvalid */;
+    }
   }
-  /*
-   *
-   *  PKI
-   *    +---> trusted
-   *    +---> rejected
-   *    +---> own
-   *           +---> cert
-   *           +---> own
+  /**
+   * Initialize the PKI directory structure, generate the
+   * private key (if missing), and start file-system watchers.
    *
+   * This method is idempotent — subsequent calls are no-ops.
+   * It must be called before any certificate operations.
    */
   async initialize() {
     if (this.state !== 0 /* Uninitialized */) {
       return;
     }
     this.state = 1 /* Initializing */;
-    await this._initialize();
+    this.#initializingPromise = this.#initialize();
+    await this.#initializingPromise;
+    this.#initializingPromise = void 0;
     this.state = 2 /* Initialized */;
+    _CertificateManager.#activeInstances.add(this);
+    _CertificateManager.#installProcessCleanup();
   }
-  async _initialize() {
+  async #initialize() {
     this.state = 1 /* Initializing */;
-    const pkiDir = this.location;
+    const pkiDir = this.#location;
     mkdirRecursiveSync(pkiDir);
     mkdirRecursiveSync(import_node_path6.default.join(pkiDir, "own"));
     mkdirRecursiveSync(import_node_path6.default.join(pkiDir, "own/certs"));
@@ -1694,24 +1705,22 @@ var CertificateManager = class {
     mkdirRecursiveSync(import_node_path6.default.join(pkiDir, "issuers/crl"));
     if (!import_node_fs9.default.existsSync(this.configFile) || !import_node_fs9.default.existsSync(this.privateKey)) {
       return await this.withLock2(async () => {
-        (0, import_node_assert10.default)(this.state !== 3 /* Disposing */);
-        if (this.state === 4 /* Disposed */) {
+        if (this.state === 3 /* Disposing */ || this.state === 4 /* Disposed */) {
           return;
         }
-        (0, import_node_assert10.default)(this.state === 1 /* Initializing */);
         if (!import_node_fs9.default.existsSync(this.configFile)) {
           import_node_fs9.default.writeFileSync(this.configFile, configurationFileSimpleTemplate);
         }
         if (!import_node_fs9.default.existsSync(this.privateKey)) {
           debugLog("generating private key ...");
           await (0, import_node_opcua_crypto5.generatePrivateKeyFile)(this.privateKey, this.keySize);
-          await this._readCertificates();
+          await this.#readCertificates();
         } else {
-          await this._readCertificates();
+          await this.#readCertificates();
         }
       });
     } else {
-      await this._readCertificates();
+      await this.#readCertificates();
     }
   }
   /**
@@ -1728,20 +1737,46 @@ var CertificateManager = class {
       return;
     }
     if (this.state === 1 /* Initializing */) {
-      await new Promise((resolve) => setTimeout(resolve, 100));
-      return await this.dispose();
+      if (this.#initializingPromise) {
+        await this.#initializingPromise;
+      }
     }
     try {
       this.state = 3 /* Disposing */;
-      await Promise.all(this._watchers.map((w) => w.close()));
-      this._watchers.forEach((w) => {
+      await Promise.all(this.#watchers.map((w) => w.close()));
+      this.#watchers.forEach((w) => {
         w.removeAllListeners();
       });
-      this._watchers.splice(0);
+      this.#watchers.splice(0);
     } finally {
       this.state = 4 /* Disposed */;
+      _CertificateManager.#activeInstances.delete(this);
     }
   }
+  /**
+   * Force a full re-scan of all PKI folders, rebuilding
+   * the in-memory `_thumbs` index from scratch.
+   *
+   * Call this after external processes have modified the
+   * PKI folders (e.g. via `writeTrustList` or CLI tools)
+   * to ensure the CertificateManager sees the latest
+   * state without waiting for file-system events.
+   */
+  async reloadCertificates() {
+    await Promise.all(this.#watchers.map((w) => w.close()));
+    for (const w of this.#watchers) {
+      w.removeAllListeners();
+    }
+    this.#watchers.splice(0);
+    this.#thumbs.rejected.clear();
+    this.#thumbs.trusted.clear();
+    this.#thumbs.issuers.certs.clear();
+    this.#thumbs.crl.clear();
+    this.#thumbs.issuersCrl.clear();
+    this.#filenameToHash.clear();
+    this.#readCertificatesCalled = false;
+    await this.#readCertificates();
+  }
   async withLock2(action) {
     const lockFileName = import_node_path6.default.join(this.rootDir, "mutex.lock");
     return (0, import_global_mutex.withLock)({ fileToLock: lockFileName }, async () => {
@@ -1749,12 +1784,18 @@ var CertificateManager = class {
     });
   }
   /**
+   * Create a self-signed certificate for this PKI's private key.
    *
-   * create a self-signed certificate for the CertificateManager private key
+   * The certificate is written to `params.outputFile` or
+   * `own/certs/self_signed_certificate.pem` by default.
    *
+   * @param params - certificate parameters (subject, SANs,
+   *   validity, etc.)
    */
   async createSelfSignedCertificate(params) {
-    (0, import_node_assert10.default)(typeof params.applicationUri === "string", "expecting applicationUri");
+    if (typeof params.applicationUri !== "string") {
+      throw new Error("createSelfSignedCertificate: expecting applicationUri to be a string");
+    }
     if (!import_node_fs9.default.existsSync(this.privateKey)) {
       throw new Error(`Cannot find private key ${this.privateKey}`);
     }
@@ -1769,22 +1810,31 @@ var CertificateManager = class {
       await createSelfSignedCertificate(certificateFilename, _params);
     });
   }
+  /**
+   * Create a Certificate Signing Request (CSR) using this
+   * PKI's private key and configuration.
+   *
+   * The CSR file is written to `own/certs/` with a timestamped
+   * filename.
+   *
+   * @param params - CSR parameters (subject, SANs)
+   * @returns the filesystem path to the generated CSR file
+   */
   async createCertificateRequest(params) {
-    (0, import_node_assert10.default)(params);
+    if (!params) {
+      throw new Error("params is required");
+    }
     const _params = params;
     if (Object.prototype.hasOwnProperty.call(_params, "rootDir")) {
       throw new Error("rootDir should not be specified ");
     }
-    (0, import_node_assert10.default)(!_params.rootDir);
-    (0, import_node_assert10.default)(!_params.configFile);
-    (0, import_node_assert10.default)(!_params.privateKey);
     _params.rootDir = import_node_path6.default.resolve(this.rootDir);
     _params.configFile = import_node_path6.default.resolve(this.configFile);
     _params.privateKey = import_node_path6.default.resolve(this.privateKey);
     return await this.withLock2(async () => {
       const now = /* @__PURE__ */ new Date();
-      const today2 = `${now.toISOString().slice(0, 10)}_${now.getTime()}`;
-      const certificateSigningRequestFilename = import_node_path6.default.join(this.rootDir, "own/certs", `certificate_${today2}.csr`);
+      const today = `${now.toISOString().slice(0, 10)}_${now.getTime()}`;
+      const certificateSigningRequestFilename = import_node_path6.default.join(this.rootDir, "own/certs", `certificate_${today}.csr`);
       await createCertificateSigningRequestAsync(certificateSigningRequestFilename, _params);
       return certificateSigningRequestFilename;
     });
@@ -1805,13 +1855,13 @@ var CertificateManager = class {
       }
     }
     const pemCertificate = (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE");
-    const fingerprint2 = makeFingerprint(certificate);
-    if (this._thumbs.issuers.certs[fingerprint2]) {
+    const fingerprint = makeFingerprint(certificate);
+    if (this.#thumbs.issuers.certs.has(fingerprint)) {
       return "Good" /* Good */;
     }
     const filename = import_node_path6.default.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);
     await import_node_fs9.default.promises.writeFile(filename, pemCertificate, "ascii");
-    this._thumbs.issuers.certs[fingerprint2] = { certificate, filename };
+    this.#thumbs.issuers.certs.set(fingerprint, { certificate, filename });
     if (addInTrustList) {
       await this.trustCertificate(certificate);
     }
@@ -1825,18 +1875,18 @@ var CertificateManager = class {
   async addRevocationList(crl, target = "issuers") {
     return await this.withLock2(async () => {
       try {
-        const index = target === "trusted" ? this._thumbs.crl : this._thumbs.issuersCrl;
+        const index = target === "trusted" ? this.#thumbs.crl : this.#thumbs.issuersCrl;
         const folder = target === "trusted" ? this.crlFolder : this.issuersCrlFolder;
         const crlInfo = (0, import_node_opcua_crypto5.exploreCertificateRevocationList)(crl);
         const key = crlInfo.tbsCertList.issuerFingerprint;
-        if (!index[key]) {
-          index[key] = { crls: [], serialNumbers: {} };
+        if (!index.has(key)) {
+          index.set(key, { crls: [], serialNumbers: {} });
         }
         const pemCertificate = (0, import_node_opcua_crypto5.toPem)(crl, "X509 CRL");
         const filename = import_node_path6.default.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
         await import_node_fs9.default.promises.writeFile(filename, pemCertificate, "ascii");
-        await this._on_crl_file_added(index, filename);
-        await this.waitAndCheckCRLProcessingStatus();
+        await this.#onCrlFileAdded(index, filename);
+        await this.#waitAndCheckCRLProcessingStatus();
         return "Good" /* Good */;
       } catch (err) {
         debugLog(err);
@@ -1865,15 +1915,13 @@ var CertificateManager = class {
           throw err;
         }
       }
-      for (const key of Object.keys(index)) {
-        delete index[key];
-      }
+      index.clear();
     };
     if (target === "issuers" || target === "all") {
-      await clearFolder(this.issuersCrlFolder, this._thumbs.issuersCrl);
+      await clearFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl);
     }
     if (target === "trusted" || target === "all") {
-      await clearFolder(this.crlFolder, this._thumbs.crl);
+      await clearFolder(this.crlFolder, this.#thumbs.crl);
     }
   }
   /**
@@ -1882,9 +1930,9 @@ var CertificateManager = class {
    * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)
    */
   async hasIssuer(thumbprint) {
-    await this._readCertificates();
+    await this.#readCertificates();
     const normalized = thumbprint.toLowerCase();
-    return Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, normalized);
+    return this.#thumbs.issuers.certs.has(normalized);
   }
   /**
    * Remove a trusted certificate identified by its SHA-1 thumbprint.
@@ -1894,9 +1942,9 @@ var CertificateManager = class {
    * @returns the removed certificate buffer, or `null` if not found
    */
   async removeTrustedCertificate(thumbprint) {
-    await this._readCertificates();
+    await this.#readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.trusted[normalized];
+    const entry = this.#thumbs.trusted.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1907,7 +1955,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.trusted[normalized];
+    this.#thumbs.trusted.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1918,9 +1966,9 @@ var CertificateManager = class {
    * @returns the removed certificate buffer, or `null` if not found
    */
   async removeIssuer(thumbprint) {
-    await this._readCertificates();
+    await this.#readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.issuers.certs[normalized];
+    const entry = this.#thumbs.issuers.certs.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1931,7 +1979,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.issuers.certs[normalized];
+    this.#thumbs.issuers.certs.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1944,7 +1992,7 @@ var CertificateManager = class {
     const issuerInfo = (0, import_node_opcua_crypto5.exploreCertificate)(issuerCertificate);
     const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;
     const processIndex = async (index) => {
-      const crlData = index[issuerFingerprint];
+      const crlData = index.get(issuerFingerprint);
       if (!crlData) return;
       for (const crlEntry of crlData.crls) {
         try {
@@ -1955,13 +2003,13 @@ var CertificateManager = class {
           }
         }
       }
-      delete index[issuerFingerprint];
+      index.delete(issuerFingerprint);
     };
     if (target === "issuers" || target === "all") {
-      await processIndex(this._thumbs.issuersCrl);
+      await processIndex(this.#thumbs.issuersCrl);
     }
     if (target === "trusted" || target === "all") {
-      await processIndex(this._thumbs.crl);
+      await processIndex(this.#thumbs.crl);
     }
   }
   /**
@@ -1993,9 +2041,23 @@ var CertificateManager = class {
       return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
     if (certificates.length > 1) {
+      const issuerFolder = this.issuersCertFolder;
+      const issuerThumbprints = /* @__PURE__ */ new Set();
+      const files = await import_node_fs9.default.promises.readdir(issuerFolder);
+      for (const file of files) {
+        const ext = import_node_path6.default.extname(file).toLowerCase();
+        if (ext === ".pem" || ext === ".der") {
+          try {
+            const issuerCert = (0, import_node_opcua_crypto5.readCertificate)(import_node_path6.default.join(issuerFolder, file));
+            const fp = makeFingerprint(issuerCert);
+            issuerThumbprints.add(fp);
+          } catch (_err) {
+          }
+        }
+      }
       for (const issuerCert of certificates.slice(1)) {
         const thumbprint = makeFingerprint(issuerCert);
-        if (!Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, thumbprint)) {
+        if (!issuerThumbprints.has(thumbprint)) {
           return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
         }
       }
@@ -2016,8 +2078,8 @@ var CertificateManager = class {
    *   signed by this issuer.
    */
   async isIssuerInUseByTrustedCertificate(issuerCertificate) {
-    await this._readCertificates();
-    for (const entry of Object.values(this._thumbs.trusted)) {
+    await this.#readCertificates();
+    for (const entry of this.#thumbs.trusted.values()) {
       if (!entry.certificate) continue;
       try {
         if ((0, import_node_opcua_crypto5.verifyCertificateSignature)(entry.certificate, issuerCertificate)) {
@@ -2052,7 +2114,7 @@ var CertificateManager = class {
       debugLog("Certificate has no extension 3");
       return null;
     }
-    const issuerCertificates = Object.values(this._thumbs.issuers.certs);
+    const issuerCertificates = [...this.#thumbs.issuers.certs.values()];
     const selectedIssuerCertificates = findMatchingIssuerKey(issuerCertificates, wantedIssuerKey);
     if (selectedIssuerCertificates.length > 0) {
       if (selectedIssuerCertificates.length > 1) {
@@ -2060,7 +2122,7 @@ var CertificateManager = class {
       }
       return selectedIssuerCertificates[0].certificate || null;
     }
-    const trustedCertificates = Object.values(this._thumbs.trusted);
+    const trustedCertificates = [...this.#thumbs.trusted.values()];
     const selectedTrustedCertificates = findMatchingIssuerKey(trustedCertificates, wantedIssuerKey);
     if (selectedTrustedCertificates.length > 1) {
       warningLog(
@@ -2072,53 +2134,78 @@ var CertificateManager = class {
     return selectedTrustedCertificates.length > 0 ? selectedTrustedCertificates[0].certificate : null;
   }
   /**
+   *
+   * check if the certificate explicitly appear in the trust list, the reject list or none.
+   * In case of being in the reject and trusted list at the same time is consider: rejected.
    * @internal
    * @private
    */
-  async _checkRejectedOrTrusted(certificate) {
-    (0, import_node_assert10.default)(certificate instanceof Buffer);
-    const fingerprint2 = makeFingerprint(certificate);
-    debugLog("_checkRejectedOrTrusted fingerprint ", short(fingerprint2));
-    await this._readCertificates();
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.rejected, fingerprint2)) {
+  async #checkRejectedOrTrusted(certificate) {
+    const fingerprint = makeFingerprint(certificate);
+    debugLog("#checkRejectedOrTrusted fingerprint ", short(fingerprint));
+    await this.#readCertificates();
+    if (this.#thumbs.rejected.has(fingerprint)) {
       return "rejected";
     }
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.trusted, fingerprint2)) {
+    if (this.#thumbs.trusted.has(fingerprint)) {
       return "trusted";
     }
     return "unknown";
   }
-  async _moveCertificate(certificate, newStatus) {
-    (0, import_node_assert10.default)(certificate instanceof Buffer);
-    const fingerprint2 = makeFingerprint(certificate);
-    const status = await this.getCertificateStatus(certificate);
-    debugLog("_moveCertificate", fingerprint2.substring(0, 10), "from", status, "to", newStatus);
-    (0, import_node_assert10.default)(status === "rejected" || status === "trusted");
-    if (status !== newStatus) {
-      const indexSrc = status === "rejected" ? this._thumbs.rejected : this._thumbs.trusted;
-      const certificateSrc = indexSrc[fingerprint2]?.filename;
-      if (!certificateSrc) {
-        debugLog(" cannot find certificate ", fingerprint2.substring(0, 10), " in", this._thumbs, [status]);
-        throw new Error("internal");
+  async #moveCertificate(certificate, newStatus) {
+    await this.withLock2(async () => {
+      const fingerprint = makeFingerprint(certificate);
+      let status = await this.#checkRejectedOrTrusted(certificate);
+      if (status === "unknown") {
+        const pem = (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE");
+        const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
+        await import_node_fs9.default.promises.writeFile(filename, pem);
+        this.#thumbs.rejected.set(fingerprint, { certificate, filename });
+        status = "rejected";
       }
-      const destFolder = newStatus === "rejected" ? this.rejectedFolder : newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
-      const certificateDest = import_node_path6.default.join(destFolder, import_node_path6.default.basename(certificateSrc));
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "old name", certificateSrc);
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "new name", certificateDest);
-      await import_node_fs9.default.promises.rename(certificateSrc, certificateDest);
-      delete indexSrc[fingerprint2];
-      const indexDest = newStatus === "rejected" ? this._thumbs.rejected : newStatus === "trusted" ? this._thumbs.trusted : this._thumbs.rejected;
-      indexDest[fingerprint2] = {
-        certificate,
-        filename: certificateDest
-      };
-    }
+      debugLog("#moveCertificate", fingerprint.substring(0, 10), "from", status, "to", newStatus);
+      if (status !== "rejected" && status !== "trusted") {
+        throw new Error(`#moveCertificate: unexpected status '${status}' for certificate ${fingerprint.substring(0, 10)}`);
+      }
+      if (status !== newStatus) {
+        const indexSrc = status === "rejected" ? this.#thumbs.rejected : this.#thumbs.trusted;
+        const srcEntry = indexSrc.get(fingerprint);
+        if (!srcEntry) {
+          debugLog(" cannot find certificate ", fingerprint.substring(0, 10), " in", status);
+          throw new Error(`#moveCertificate: certificate ${fingerprint.substring(0, 10)} not found in ${status} index`);
+        }
+        const destFolder = newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
+        const certificateDest = import_node_path6.default.join(destFolder, import_node_path6.default.basename(srcEntry.filename));
+        debugLog("#moveCertificate", fingerprint.substring(0, 10), "old name", srcEntry.filename);
+        debugLog("#moveCertificate", fingerprint.substring(0, 10), "new name", certificateDest);
+        await import_node_fs9.default.promises.rename(srcEntry.filename, certificateDest);
+        indexSrc.delete(fingerprint);
+        const indexDest = newStatus === "trusted" ? this.#thumbs.trusted : this.#thumbs.rejected;
+        indexDest.set(fingerprint, { certificate, filename: certificateDest });
+      }
+    });
   }
-  _findAssociatedCRLs(issuerCertificate) {
+  #findAssociatedCRLs(issuerCertificate) {
     const issuerCertificateInfo = (0, import_node_opcua_crypto5.exploreCertificate)(issuerCertificate);
     const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;
-    return this._thumbs.issuersCrl[key] ? this._thumbs.issuersCrl[key] : this._thumbs.crl[key] ? this._thumbs.crl[key] : null;
+    return this.#thumbs.issuersCrl.get(key) ?? this.#thumbs.crl.get(key) ?? null;
   }
+  /**
+   * Check whether a certificate has been revoked by its issuer's CRL.
+   *
+   * - Self-signed certificates are never considered revoked.
+   * - If no `issuerCertificate` is provided, the method attempts
+   *   to find it via {@link findIssuerCertificate}.
+   *
+   * @param certificate - the DER-encoded certificate to check
+   * @param issuerCertificate - optional issuer certificate; looked
+   *   up automatically when omitted
+   * @returns `Good` if not revoked, `BadCertificateRevoked` if the
+   *   serial number appears in a CRL,
+   *   `BadCertificateRevocationUnknown` if no CRL is available,
+   *   or `BadCertificateChainIncomplete` if the issuer cannot be
+   *   found.
+   */
   async isCertificateRevoked(certificate, issuerCertificate) {
     if (isSelfSigned3(certificate)) {
       return "Good" /* Good */;
@@ -2129,913 +2216,251 @@ var CertificateManager = class {
     if (!issuerCertificate) {
       return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
     }
-    const crls = this._findAssociatedCRLs(issuerCertificate);
+    const crls = this.#findAssociatedCRLs(issuerCertificate);
     if (!crls) {
       return "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */;
     }
     const certInfo = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
     const serialNumber = certInfo.tbsCertificate.serialNumber || certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial || "";
     const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint || "<unknown>";
-    const crl2 = this._thumbs.crl[key] || null;
+    const crl2 = this.#thumbs.crl.get(key) ?? null;
     if (crls.serialNumbers[serialNumber] || crl2?.serialNumbers[serialNumber]) {
       return "BadCertificateRevoked" /* BadCertificateRevoked */;
     }
     return "Good" /* Good */;
   }
-  _pending_crl_to_process = 0;
-  _on_crl_process;
-  queue = [];
-  _on_crl_file_added(index, filename) {
-    this.queue.push({ index, filename });
-    this._pending_crl_to_process += 1;
-    if (this._pending_crl_to_process === 1) {
-      this._process_next_crl();
+  #pendingCrlToProcess = 0;
+  #onCrlProcess;
+  #queue = [];
+  #onCrlFileAdded(index, filename) {
+    this.#queue.push({ index, filename });
+    this.#pendingCrlToProcess += 1;
+    if (this.#pendingCrlToProcess === 1) {
+      this.#processNextCrl();
     }
   }
-  async _process_next_crl() {
+  async #processNextCrl() {
     try {
-      const nextCRL = this.queue.shift();
+      const nextCRL = this.#queue.shift();
       if (!nextCRL) return;
       const { index, filename } = nextCRL;
       const crl = await (0, import_node_opcua_crypto5.readCertificateRevocationList)(filename);
       const crlInfo = (0, import_node_opcua_crypto5.exploreCertificateRevocationList)(crl);
       debugLog(import_chalk6.default.cyan("add CRL in folder "), filename);
-      const fingerprint2 = crlInfo.tbsCertList.issuerFingerprint;
-      index[fingerprint2] = index[fingerprint2] || {
-        crls: [],
-        serialNumbers: {}
-      };
-      index[fingerprint2].crls.push({ crlInfo, filename });
-      const serialNumbers = index[fingerprint2].serialNumbers;
+      const fingerprint = crlInfo.tbsCertList.issuerFingerprint;
+      if (!index.has(fingerprint)) {
+        index.set(fingerprint, { crls: [], serialNumbers: {} });
+      }
+      const data = index.get(fingerprint) || { crls: [], serialNumbers: {} };
+      data.crls.push({ crlInfo, filename });
       for (const revokedCertificate of crlInfo.tbsCertList.revokedCertificates) {
         const serialNumber = revokedCertificate.userCertificate;
-        if (!serialNumbers[serialNumber]) {
-          serialNumbers[serialNumber] = revokedCertificate.revocationDate;
+        if (!data.serialNumbers[serialNumber]) {
+          data.serialNumbers[serialNumber] = revokedCertificate.revocationDate;
         }
       }
-      debugLog(import_chalk6.default.cyan("CRL"), fingerprint2, "serial numbers = ", Object.keys(serialNumbers));
+      debugLog(import_chalk6.default.cyan("CRL"), fingerprint, "serial numbers = ", Object.keys(data.serialNumbers));
     } catch (err) {
       debugLog("CRL filename error =");
       debugLog(err);
     }
-    this._pending_crl_to_process -= 1;
-    if (this._pending_crl_to_process === 0) {
-      if (this._on_crl_process) {
-        this._on_crl_process();
-        this._on_crl_process = void 0;
+    this.#pendingCrlToProcess -= 1;
+    if (this.#pendingCrlToProcess === 0) {
+      if (this.#onCrlProcess) {
+        this.#onCrlProcess();
+        this.#onCrlProcess = void 0;
       }
     } else {
-      this._process_next_crl();
+      this.#processNextCrl();
     }
   }
-  async _readCertificates() {
-    if (this._readCertificatesCalled) {
+  async #readCertificates() {
+    if (this.#readCertificatesCalled) {
       return;
     }
-    this._readCertificatesCalled = true;
-    const options = {
-      usePolling: true,
-      interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)),
-      persistent: false,
-      awaitWriteFinish: {
-        stabilityThreshold: 2e3,
-        pollInterval: 600
-      }
+    this.#readCertificatesCalled = true;
+    const usePolling = process.env.OPCUA_PKI_USE_POLLING === "true";
+    const chokidarOptions = {
+      usePolling,
+      ...usePolling ? { interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)) } : {},
+      persistent: false
     };
-    async function _walkCRLFiles(folder, index) {
-      await new Promise((resolve, _reject) => {
-        const w = import_chokidar.default.watch(folder, options);
-        w.on("unlink", (filename, stat) => {
-          filename;
-          stat;
-        });
-        w.on("add", (filename, stat) => {
-          stat;
-          this._on_crl_file_added(index, filename);
-        });
-        w.on("change", (path8, stat) => {
-          debugLog("change in folder ", folder, path8, stat);
-        });
-        this._watchers.push(w);
-        w.on("ready", () => {
-          resolve();
-        });
+    const createUnreffedWatcher = (folder) => {
+      const capturedHandles = [];
+      const origWatch = import_node_fs9.default.watch;
+      import_node_fs9.default.watch = ((...args) => {
+        const handle = origWatch.apply(import_node_fs9.default, args);
+        capturedHandles.push(handle);
+        return handle;
       });
-    }
-    async function _walkAllFiles(folder, index) {
-      const w = import_chokidar.default.watch(folder, options);
-      w.on("unlink", (filename, stat) => {
-        stat;
-        debugLog(import_chalk6.default.cyan(`unlink in folder ${folder}`), filename);
-        const h = this._filenameToHash[filename];
-        if (h && index[h]) {
-          delete index[h];
+      const w = import_chokidar.default.watch(folder, chokidarOptions);
+      const unreffAll = () => {
+        import_node_fs9.default.watch = origWatch;
+        for (const h of capturedHandles) {
+          h.unref();
         }
-      });
-      w.on("add", (filename, stat) => {
-        stat;
-        debugLog(import_chalk6.default.cyan(`add in folder ${folder}`), filename);
-        try {
-          const certificate = (0, import_node_opcua_crypto5.readCertificate)(filename);
-          const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
-          const fingerprint2 = makeFingerprint(certificate);
-          index[fingerprint2] = {
-            certificate,
-            filename
-          };
-          this._filenameToHash[filename] = fingerprint2;
-          debugLog(
-            import_chalk6.default.magenta("CERT"),
-            info.tbsCertificate.subjectFingerPrint,
-            info.tbsCertificate.serialNumber,
-            info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
-          );
-        } catch (err) {
-          debugLog(`Walk files in folder ${folder} with file ${filename}`);
-          debugLog(err);
+      };
+      return { w, capturedHandles, unreffAll };
+    };
+    const promises = [
+      this.#walkAllFiles(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher),
+      this.#walkAllFiles(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher),
+      this.#walkAllFiles(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher),
+      this.#walkCRLFiles(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher),
+      this.#walkCRLFiles(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher)
+    ];
+    await Promise.all(promises);
+    await this.#waitAndCheckCRLProcessingStatus();
+  }
+  async #walkCRLFiles(folder, index, createUnreffedWatcher) {
+    await new Promise((resolve, _reject) => {
+      const { w, unreffAll } = createUnreffedWatcher(folder);
+      w.on("unlink", (filename) => {
+        for (const [key, data] of index.entries()) {
+          data.crls = data.crls.filter((c) => c.filename !== filename);
+          if (data.crls.length === 0) {
+            index.delete(key);
+          }
         }
       });
-      w.on("change", (path8, stat) => {
-        stat;
-        debugLog("change in folder ", folder, path8);
+      w.on("add", (filename) => {
+        this.#onCrlFileAdded(index, filename);
       });
-      this._watchers.push(w);
-      await new Promise((resolve, _reject) => {
-        w.on("ready", () => {
-          debugLog("ready");
-          debugLog(Object.entries(index).map((kv) => kv[0].substring(0, 10)));
-          resolve();
-        });
+      w.on("change", (changedPath) => {
+        debugLog("change in folder ", folder, changedPath);
+      });
+      this.#watchers.push(w);
+      w.on("ready", () => {
+        unreffAll();
+        resolve();
       });
-    }
-    const promises = [
-      _walkAllFiles.bind(this, this.trustedFolder, this._thumbs.trusted)(),
-      _walkAllFiles.bind(this, this.issuersCertFolder, this._thumbs.issuers.certs)(),
-      _walkAllFiles.bind(this, this.rejectedFolder, this._thumbs.rejected)(),
-      _walkCRLFiles.bind(this, this.crlFolder, this._thumbs.crl)(),
-      _walkCRLFiles.bind(this, this.issuersCrlFolder, this._thumbs.issuersCrl)()
-    ];
-    await Promise.all(promises);
-    await this.waitAndCheckCRLProcessingStatus();
-  }
-  // make sure that all crls have been processed.
-  async waitAndCheckCRLProcessingStatus() {
-    return new Promise((resolve, reject) => {
-      if (this._pending_crl_to_process === 0) {
-        setImmediate(resolve);
-        return;
-      }
-      if (this._on_crl_process) {
-        return reject(new Error("Internal Error"));
-      }
-      this._on_crl_process = resolve;
-    });
-  }
-};
-
-// packages/node-opcua-pki/lib/ca/crypto_create_CA.ts
-var import_command_line_args = __toESM(require("command-line-args"));
-var import_command_line_usage = __toESM(require("command-line-usage"));
-var epilog = "Copyright (c) sterfive - node-opcua - 2017-2026";
-function get_offset_date(date, nbDays) {
-  const d = new Date(date.getTime());
-  d.setDate(d.getDate() + nbDays);
-  return d;
-}
-var today = /* @__PURE__ */ new Date();
-var yesterday = get_offset_date(today, -1);
-var two_years_ago = get_offset_date(today, -2 * 365);
-var next_year = get_offset_date(today, 365);
-var gLocalConfig = {};
-var g_certificateAuthority;
-async function construct_CertificateAuthority2(subject) {
-  (0, import_node_assert11.default)(typeof gLocalConfig.CAFolder === "string", "expecting a CAFolder in config");
-  (0, import_node_assert11.default)(typeof gLocalConfig.keySize === "number", "expecting a keySize in config");
-  if (!g_certificateAuthority) {
-    g_certificateAuthority = new CertificateAuthority({
-      keySize: gLocalConfig.keySize,
-      location: gLocalConfig.CAFolder,
-      subject
-    });
-    await g_certificateAuthority.initialize();
-  }
-}
-var certificateManager;
-async function construct_CertificateManager() {
-  (0, import_node_assert11.default)(typeof gLocalConfig.PKIFolder === "string", "expecting a PKIFolder in config");
-  if (!certificateManager) {
-    certificateManager = new CertificateManager({
-      keySize: gLocalConfig.keySize,
-      location: gLocalConfig.PKIFolder
     });
-    await certificateManager.initialize();
   }
-}
-function default_template_content() {
-  if (process.pkg?.entrypoint) {
-    const a = import_node_fs10.default.readFileSync(import_node_path7.default.join(__dirname, "../../bin/pki_config.example.js"), "utf8");
-    return a;
-  }
-  function find_default_config_template() {
-    const rootFolder = find_module_root_folder();
-    const configName = "pki_config.example.js";
-    let default_config_template2 = import_node_path7.default.join(rootFolder, "bin", configName);
-    if (!import_node_fs10.default.existsSync(default_config_template2)) {
-      default_config_template2 = import_node_path7.default.join(__dirname, "..", configName);
-      if (!import_node_fs10.default.existsSync(default_config_template2)) {
-        default_config_template2 = import_node_path7.default.join(__dirname, `../bin/${configName}`);
+  async #walkAllFiles(folder, index, createUnreffedWatcher) {
+    const { w, unreffAll } = createUnreffedWatcher(folder);
+    w.on("unlink", (filename) => {
+      debugLog(import_chalk6.default.cyan(`unlink in folder ${folder}`), filename);
+      const h = this.#filenameToHash.get(filename);
+      if (h && index.has(h)) {
+        index.delete(h);
       }
-    }
-    return default_config_template2;
-  }
-  const default_config_template = find_default_config_template();
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(default_config_template));
-  const default_config_template_content = import_node_fs10.default.readFileSync(default_config_template, "utf8");
-  return default_config_template_content;
-}
-function find_module_root_folder() {
-  let rootFolder = import_node_path7.default.join(__dirname);
-  for (let i = 0; i < 4; i++) {
-    if (import_node_fs10.default.existsSync(import_node_path7.default.join(rootFolder, "package.json"))) {
-      return rootFolder;
-    }
-    rootFolder = import_node_path7.default.join(rootFolder, "..");
-  }
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(import_node_path7.default.join(rootFolder, "package.json")), "root folder must have a package.json file");
-  return rootFolder;
-}
-async function readConfiguration(argv) {
-  if (argv.silent) {
-    g_config.silent = true;
-  } else {
-    g_config.silent = false;
-  }
-  const fqdn2 = await extractFullyQualifiedDomainName();
-  const hostname = import_node_os4.default.hostname();
-  let certificateDir;
-  function performSubstitution(str) {
-    str = str.replace("{CWD}", process.cwd());
-    if (certificateDir) {
-      str = str.replace("{root}", certificateDir);
-    }
-    if (gLocalConfig?.PKIFolder) {
-      str = str.replace("{PKIFolder}", gLocalConfig.PKIFolder);
-    }
-    str = str.replace("{hostname}", hostname);
-    str = str.replace("%FQDN%", fqdn2);
-    return str;
-  }
-  function prepare(file) {
-    const tmp = import_node_path7.default.resolve(performSubstitution(file));
-    return makePath(tmp);
-  }
-  certificateDir = argv.root;
-  (0, import_node_assert11.default)(typeof certificateDir === "string");
-  certificateDir = prepare(certificateDir);
-  mkdirRecursiveSync(certificateDir);
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(certificateDir));
-  const default_config = import_node_path7.default.join(certificateDir, "config.js");
-  if (!import_node_fs10.default.existsSync(default_config)) {
-    debugLog(import_chalk7.default.yellow(" Creating default g_config file "), import_chalk7.default.cyan(default_config));
-    const default_config_template_content = default_template_content();
-    import_node_fs10.default.writeFileSync(default_config, default_config_template_content);
-  } else {
-    debugLog(import_chalk7.default.yellow(" using  g_config file "), import_chalk7.default.cyan(default_config));
-  }
-  if (!import_node_fs10.default.existsSync(default_config)) {
-    debugLog(import_chalk7.default.redBright(" cannot find config file ", default_config));
-  }
-  const defaultRandomFile = import_node_path7.default.join(import_node_path7.default.dirname(default_config), "random.rnd");
-  setEnv("RANDFILE", defaultRandomFile);
-  const _require = (0, import_node_module.createRequire)(__filename);
-  gLocalConfig = _require(default_config);
-  gLocalConfig.subject = new import_node_opcua_crypto6.Subject(gLocalConfig.subject || "");
-  if (argv.subject) {
-    gLocalConfig.subject = new import_node_opcua_crypto6.Subject(argv.subject);
-  }
-  if (!gLocalConfig.subject.commonName) {
-    throw new Error("subject must have a Common Name");
-  }
-  gLocalConfig.certificateDir = certificateDir;
-  let CAFolder = argv.CAFolder || import_node_path7.default.join(certificateDir, "CA");
-  CAFolder = prepare(CAFolder);
-  gLocalConfig.CAFolder = CAFolder;
-  gLocalConfig.PKIFolder = import_node_path7.default.join(gLocalConfig.certificateDir, "PKI");
-  if (argv.PKIFolder) {
-    gLocalConfig.PKIFolder = prepare(argv.PKIFolder);
-  }
-  gLocalConfig.PKIFolder = prepare(gLocalConfig.PKIFolder);
-  if (argv.privateKey) {
-    gLocalConfig.privateKey = prepare(argv.privateKey);
-  }
-  if (argv.applicationUri) {
-    gLocalConfig.applicationUri = performSubstitution(argv.applicationUri);
-  }
-  if (argv.output) {
-    gLocalConfig.outputFile = argv.output;
-  }
-  gLocalConfig.altNames = [];
-  if (argv.altNames) {
-    gLocalConfig.altNames = argv.altNames.split(";");
-  }
-  gLocalConfig.dns = [getFullyQualifiedDomainName()];
-  if (argv.dns) {
-    gLocalConfig.dns = argv.dns.split(",").map(performSubstitution);
-  }
-  gLocalConfig.ip = [];
-  if (argv.ip) {
-    gLocalConfig.ip = argv.ip.split(",");
-  }
-  if (argv.keySize) {
-    const v = argv.keySize;
-    if (v !== 1024 && v !== 2048 && v !== 3072 && v !== 4096) {
-      throw new Error(`invalid keysize specified ${v} should be 1024,2048,3072 or 4096`);
-    }
-    gLocalConfig.keySize = argv.keySize;
-  }
-  if (argv.validity) {
-    gLocalConfig.validity = argv.validity;
-  }
-}
-async function createDefaultCertificate(base_name, prefix, key_length, applicationUri, dev) {
-  (0, import_node_assert11.default)(key_length === 1024 || key_length === 2048 || key_length === 3072 || key_length === 4096);
-  const private_key_file = makePath(base_name, `${prefix}key_${key_length}.pem`);
-  const public_key_file = makePath(base_name, `${prefix}public_key_${key_length}.pub`);
-  const certificate_file = makePath(base_name, `${prefix}cert_${key_length}.pem`);
-  const certificate_file_outofdate = makePath(base_name, `${prefix}cert_${key_length}_outofdate.pem`);
-  const certificate_file_not_active_yet = makePath(base_name, `${prefix}cert_${key_length}_not_active_yet.pem`);
-  const certificate_revoked = makePath(base_name, `${prefix}cert_${key_length}_revoked.pem`);
-  const self_signed_certificate_file = makePath(base_name, `${prefix}selfsigned_cert_${key_length}.pem`);
-  const fqdn2 = getFullyQualifiedDomainName();
-  const hostname = import_node_os4.default.hostname();
-  const dns2 = [
-    // for conformance reason, localhost shall not be present in the DNS field of COP
-    // ***FORBIDEN** "localhost",
-    getFullyQualifiedDomainName()
-  ];
-  if (hostname !== fqdn2) {
-    dns2.push(hostname);
-  }
-  const ip = [];
-  async function createCertificateIfNotExist(certificate, private_key, applicationUri2, startDate, validity) {
-    if (import_node_fs10.default.existsSync(certificate)) {
-      warningLog(import_chalk7.default.yellow("         certificate"), import_chalk7.default.cyan(certificate), import_chalk7.default.yellow(" already exists => skipping"));
-      return "";
-    } else {
-      return await createCertificate(certificate, private_key, applicationUri2, startDate, validity);
-    }
-  }
-  async function createCertificate(certificate, privateKey, applicationUri2, startDate, validity) {
-    const certificateSigningRequestFile = `${certificate}.csr`;
-    const configFile = makePath(base_name, "../certificates/PKI/own/openssl.cnf");
-    const dns3 = [import_node_os4.default.hostname()];
-    const ip2 = ["127.0.0.1"];
-    const params = {
-      applicationUri: applicationUri2,
-      privateKey,
-      rootDir: ".",
-      configFile,
-      dns: dns3,
-      ip: ip2,
-      purpose: import_node_opcua_crypto6.CertificatePurpose.ForApplication
-    };
-    await createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFile, params);
-    return await g_certificateAuthority.signCertificateRequest(certificate, certificateSigningRequestFile, {
-      applicationUri: applicationUri2,
-      dns: dns3,
-      ip: ip2,
-      startDate,
-      validity
     });
-  }
-  async function createSelfSignedCertificate2(certificate, private_key, applicationUri2, startDate, validity) {
-    await g_certificateAuthority.createSelfSignedCertificate(certificate, private_key, {
-      applicationUri: applicationUri2,
-      dns: dns2,
-      ip,
-      startDate,
-      validity
+    w.on("add", (filename) => {
+      debugLog(import_chalk6.default.cyan(`add in folder ${folder}`), filename);
+      try {
+        const certificate = (0, import_node_opcua_crypto5.readCertificate)(filename);
+        const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+        const fingerprint = makeFingerprint(certificate);
+        index.set(fingerprint, { certificate, filename, info });
+        this.#filenameToHash.set(filename, fingerprint);
+        debugLog(
+          import_chalk6.default.magenta("CERT"),
+          info.tbsCertificate.subjectFingerPrint,
+          info.tbsCertificate.serialNumber,
+          info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
+        );
+      } catch (err) {
+        debugLog(`Walk files in folder ${folder} with file ${filename}`);
+        debugLog(err);
+      }
     });
-  }
-  async function revoke_certificate(certificate) {
-    await g_certificateAuthority.revokeCertificate(certificate, {});
-  }
-  async function createPrivateKeyIfNotExist(privateKey, keyLength) {
-    if (import_node_fs10.default.existsSync(privateKey)) {
-      warningLog(import_chalk7.default.yellow("         privateKey"), import_chalk7.default.cyan(privateKey), import_chalk7.default.yellow(" already exists => skipping"));
-      return;
-    } else {
-      await (0, import_node_opcua_crypto6.generatePrivateKeyFile)(privateKey, keyLength);
-    }
-  }
-  displaySubtitle(` create private key :${private_key_file}`);
-  await createPrivateKeyIfNotExist(private_key_file, key_length);
-  displaySubtitle(` extract public key ${public_key_file} from private key `);
-  await getPublicKeyFromPrivateKey(private_key_file, public_key_file);
-  displaySubtitle(` create Certificate ${certificate_file}`);
-  await createCertificateIfNotExist(certificate_file, private_key_file, applicationUri, yesterday, 365);
-  displaySubtitle(` create self signed Certificate ${self_signed_certificate_file}`);
-  if (import_node_fs10.default.existsSync(self_signed_certificate_file)) {
-    return;
-  }
-  await createSelfSignedCertificate2(self_signed_certificate_file, private_key_file, applicationUri, yesterday, 365);
-  if (dev) {
-    await createCertificateIfNotExist(certificate_file_outofdate, private_key_file, applicationUri, two_years_ago, 365);
-    await createCertificateIfNotExist(certificate_file_not_active_yet, private_key_file, applicationUri, next_year, 365);
-    if (!import_node_fs10.default.existsSync(certificate_revoked)) {
-      const certificate = await createCertificateIfNotExist(
-        certificate_revoked,
-        private_key_file,
-        `${applicationUri}Revoked`,
-        // make sure we used a uniq URI here
-        yesterday,
-        365
-      );
-      warningLog(" certificate to revoke => ", certificate);
-      revoke_certificate(certificate_revoked);
-    }
-  }
-}
-async function wrap(func) {
-  try {
-    await func();
-  } catch (err) {
-    console.log(err.message);
-  }
-}
-async function create_default_certificates(dev) {
-  (0, import_node_assert11.default)(gLocalConfig);
-  const base_name = gLocalConfig.certificateDir || "";
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(base_name));
-  let clientURN;
-  let serverURN;
-  let discoveryServerURN;
-  wrap(async () => {
-    await extractFullyQualifiedDomainName();
-    const hostname = import_node_os4.default.hostname();
-    const fqdn2 = getFullyQualifiedDomainName();
-    warningLog(import_chalk7.default.yellow("     hostname = "), import_chalk7.default.cyan(hostname));
-    warningLog(import_chalk7.default.yellow("     fqdn     = "), import_chalk7.default.cyan(fqdn2));
-    clientURN = makeApplicationUrn(hostname, "NodeOPCUA-Client");
-    serverURN = makeApplicationUrn(hostname, "NodeOPCUA-Server");
-    discoveryServerURN = makeApplicationUrn(hostname, "NodeOPCUA-DiscoveryServer");
-    displayTitle("Create  Application Certificate for Server & its private key");
-    await createDefaultCertificate(base_name, "client_", 1024, clientURN, dev);
-    await createDefaultCertificate(base_name, "client_", 2048, clientURN, dev);
-    await createDefaultCertificate(base_name, "client_", 3072, clientURN, dev);
-    await createDefaultCertificate(base_name, "client_", 4096, clientURN, dev);
-    displayTitle("Create  Application Certificate for Client & its private key");
-    await createDefaultCertificate(base_name, "server_", 1024, serverURN, dev);
-    await createDefaultCertificate(base_name, "server_", 2048, serverURN, dev);
-    await createDefaultCertificate(base_name, "server_", 3072, serverURN, dev);
-    await createDefaultCertificate(base_name, "server_", 4096, serverURN, dev);
-    displayTitle("Create  Application Certificate for DiscoveryServer & its private key");
-    await createDefaultCertificate(base_name, "discoveryServer_", 1024, discoveryServerURN, dev);
-    await createDefaultCertificate(base_name, "discoveryServer_", 2048, discoveryServerURN, dev);
-    await createDefaultCertificate(base_name, "discoveryServer_", 3072, discoveryServerURN, dev);
-    await createDefaultCertificate(base_name, "discoveryServer_", 4096, discoveryServerURN, dev);
-  });
-}
-async function createDefaultCertificates(dev) {
-  await construct_CertificateAuthority2("");
-  await construct_CertificateManager();
-  await create_default_certificates(dev);
-}
-var commonOptions = [
-  {
-    name: "root",
-    alias: "r",
-    type: String,
-    defaultValue: "{CWD}/certificates",
-    description: "the location of the Certificate folder"
-  },
-  {
-    name: "CAFolder",
-    alias: "c",
-    type: String,
-    defaultValue: "{root}/CA",
-    description: "the location of the Certificate Authority folder"
-  },
-  { name: "PKIFolder", type: String, defaultValue: "{root}/PKI", description: "the location of the Public Key Infrastructure" },
-  { name: "silent", type: Boolean, defaultValue: false, description: "minimize output" },
-  {
-    name: "privateKey",
-    alias: "p",
-    type: String,
-    defaultValue: "{PKIFolder}/own/private_key.pem",
-    description: "the private key to use to generate certificate"
-  },
-  {
-    name: "keySize",
-    alias: "k",
-    type: Number,
-    defaultValue: 2048,
-    description: "the private key size in bits (1024|2048|3072|4096)"
-  },
-  { name: "help", alias: "h", type: Boolean, description: "display this help" }
-];
-function getOptions(names) {
-  return commonOptions.filter((o) => names.includes(o.name) || o.name === "help" || o.name === "silent");
-}
-function showHelp(command, description, options, usage) {
-  const sections = [
-    {
-      header: `Command: ${command}`,
-      content: description
-    },
-    {
-      header: "Usage",
-      content: usage || `$0 ${command} [options]`
-    },
-    {
-      header: "Options",
-      optionList: options
-    }
-  ];
-  console.log((0, import_command_line_usage.default)(sections));
-}
-async function main(argumentsList) {
-  const mainDefinitions = [{ name: "command", defaultOption: true }];
-  let mainOptions;
-  try {
-    mainOptions = (0, import_command_line_args.default)(mainDefinitions, { argv: argumentsList, stopAtFirstUnknown: true });
-  } catch (err) {
-    console.log(err.message);
-    return;
-  }
-  const argv = mainOptions._unknown || [];
-  const command = mainOptions.command;
-  if (!command || command === "help") {
-    console.log(
-      (0, import_command_line_usage.default)([
-        {
-          header: "node-opcua-pki",
-          content: `PKI management for node-opcua
-
-${epilog}`
-        },
-        {
-          header: "Commands",
-          content: [
-            { name: "demo", summary: "create default certificate for node-opcua demos" },
-            { name: "createCA", summary: "create a Certificate Authority" },
-            { name: "createPKI", summary: "create a Public Key Infrastructure" },
-            { name: "certificate", summary: "create a new certificate" },
-            { name: "revoke <certificateFile>", summary: "revoke a existing certificate" },
-            { name: "csr", summary: "create a certificate signing request" },
-            { name: "sign", summary: "validate a certificate signing request and generate a certificate" },
-            { name: "dump <certificateFile>", summary: "display a certificate" },
-            { name: "toder <pemCertificate>", summary: "convert a certificate to a DER format with finger print" },
-            { name: "fingerprint <certificateFile>", summary: "print the certificate fingerprint" },
-            { name: "version", summary: "display the version number" }
-          ]
-        }
-      ])
-    );
-    return;
-  }
-  if (command === "version") {
-    const rootFolder = find_module_root_folder();
-    const pkg = JSON.parse(import_node_fs10.default.readFileSync(import_node_path7.default.join(rootFolder, "package.json"), "utf-8"));
-    console.log(pkg.version);
-    return;
-  }
-  if (command === "demo") {
-    const optionsDef = [
-      ...getOptions(["root", "silent"]),
-      { name: "dev", type: Boolean, description: "create all sort of fancy certificates for dev testing purposes" },
-      { name: "clean", type: Boolean, description: "Purge existing directory [use with care!]" }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help)
-      return showHelp(
-        "demo",
-        "create default certificate for node-opcua demos",
-        optionsDef,
-        "$0 demo [--dev] [--silent] [--clean]"
-      );
-    await wrap(async () => {
-      await ensure_openssl_installed();
-      displayChapter("Create Demo certificates");
-      displayTitle("reading configuration");
-      await readConfiguration(local_argv);
-      if (local_argv.clean) {
-        displayTitle("Cleaning old certificates");
-        (0, import_node_assert11.default)(gLocalConfig);
-        const certificateDir = gLocalConfig.certificateDir || "";
-        const files = await import_node_fs10.default.promises.readdir(certificateDir);
-        for (const file of files) {
-          if (file.includes(".pem") || file.includes(".pub")) {
-            await import_node_fs10.default.promises.unlink(import_node_path7.default.join(certificateDir, file));
-          }
+    w.on("change", (changedPath) => {
+      debugLog(import_chalk6.default.cyan(`change in folder ${folder}`), changedPath);
+      try {
+        const certificate = (0, import_node_opcua_crypto5.readCertificate)(changedPath);
+        const newFingerprint = makeFingerprint(certificate);
+        const oldHash = this.#filenameToHash.get(changedPath);
+        if (oldHash && oldHash !== newFingerprint) {
+          index.delete(oldHash);
         }
-        mkdirRecursiveSync(certificateDir);
+        index.set(newFingerprint, { certificate, filename: changedPath, info: (0, import_node_opcua_crypto5.exploreCertificate)(certificate) });
+        this.#filenameToHash.set(changedPath, newFingerprint);
+      } catch (err) {
+        debugLog(`change event: failed to re-read ${changedPath}`, err);
       }
-      displayTitle("create certificates");
-      await createDefaultCertificates(local_argv.dev);
-      displayChapter("Demo certificates  CREATED");
-    });
-    return;
-  }
-  if (command === "createCA") {
-    const optionsDef = [
-      ...getOptions(["root", "CAFolder", "keySize", "silent"]),
-      { name: "subject", type: String, defaultValue: defaultSubject, description: "the CA certificate subject" }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help) return showHelp("createCA", "create a Certificate Authority", optionsDef);
-    await wrap(async () => {
-      await ensure_openssl_installed();
-      await readConfiguration(local_argv);
-      await construct_CertificateAuthority2(local_argv.subject);
-    });
-    return;
-  }
-  if (command === "createPKI") {
-    const optionsDef = getOptions(["root", "PKIFolder", "keySize", "silent"]);
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help) return showHelp("createPKI", "create a Public Key Infrastructure", optionsDef);
-    await wrap(async () => {
-      await readConfiguration(local_argv);
-      await construct_CertificateManager();
     });
-    return;
-  }
-  if (command === "certificate") {
-    const optionsDef = [
-      ...getOptions(["root", "CAFolder", "PKIFolder", "privateKey", "silent"]),
-      {
-        name: "applicationUri",
-        alias: "a",
-        type: String,
-        defaultValue: "urn:{hostname}:Node-OPCUA-Server",
-        description: "the application URI"
-      },
-      {
-        name: "output",
-        alias: "o",
-        type: String,
-        defaultValue: "my_certificate.pem",
-        description: "the name of the generated certificate =>"
-      },
-      {
-        name: "selfSigned",
-        alias: "s",
-        type: Boolean,
-        defaultValue: false,
-        description: "if true, certificate will be self-signed"
-      },
-      { name: "validity", alias: "v", type: Number, description: "the certificate validity in days" },
-      {
-        name: "dns",
-        type: String,
-        defaultValue: "{hostname}",
-        description: "the list of valid domain name (comma separated)"
-      },
-      { name: "ip", type: String, defaultValue: "", description: "the list of valid IPs (comma separated)" },
-      {
-        name: "subject",
-        type: String,
-        defaultValue: "",
-        description: "the certificate subject ( for instance C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )"
-      }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help || !local_argv.applicationUri || !local_argv.output)
-      return showHelp("certificate", "create a new certificate", optionsDef);
-    async function command_certificate(local_argv2) {
-      const selfSigned = !!local_argv2.selfSigned;
-      if (!selfSigned) {
-        await command_full_certificate(local_argv2);
-      } else {
-        await command_selfsigned_certificate(local_argv2);
-      }
-    }
-    async function command_selfsigned_certificate(local_argv2) {
-      const _fqdn = await extractFullyQualifiedDomainName();
-      await readConfiguration(local_argv2);
-      await construct_CertificateManager();
-      displaySubtitle(` create self signed Certificate ${gLocalConfig.outputFile}`);
-      let subject = local_argv2.subject && local_argv2.subject.length > 1 ? new import_node_opcua_crypto6.Subject(local_argv2.subject) : gLocalConfig.subject || "";
-      subject = JSON.parse(JSON.stringify(subject));
-      const params = {
-        applicationUri: gLocalConfig.applicationUri || "",
-        dns: gLocalConfig.dns || [],
-        ip: gLocalConfig.ip || [],
-        outputFile: gLocalConfig.outputFile || "self_signed_certificate.pem",
-        startDate: gLocalConfig.startDate || /* @__PURE__ */ new Date(),
-        subject,
-        validity: gLocalConfig.validity || 365
-      };
-      await certificateManager.createSelfSignedCertificate(params);
-    }
-    async function command_full_certificate(local_argv2) {
-      await readConfiguration(local_argv2);
-      await construct_CertificateManager();
-      await construct_CertificateAuthority2("");
-      (0, import_node_assert11.default)(import_node_fs10.default.existsSync(gLocalConfig.CAFolder || ""), " CA folder must exist");
-      gLocalConfig.privateKey = void 0;
-      gLocalConfig.subject = local_argv2.subject && local_argv2.subject.length > 1 ? local_argv2.subject : gLocalConfig.subject;
-      const csr_file = await certificateManager.createCertificateRequest(
-        gLocalConfig
-      );
-      if (!csr_file) {
-        return;
-      }
-      warningLog(" csr_file = ", csr_file);
-      const certificate = csr_file.replace(".csr", ".pem");
-      if (import_node_fs10.default.existsSync(certificate)) {
-        throw new Error(` File ${certificate} already exist`);
-      }
-      await g_certificateAuthority.signCertificateRequest(
-        certificate,
-        csr_file,
-        gLocalConfig
-      );
-      (0, import_node_assert11.default)(typeof gLocalConfig.outputFile === "string");
-      import_node_fs10.default.writeFileSync(gLocalConfig.outputFile || "", import_node_fs10.default.readFileSync(certificate, "ascii"));
-    }
-    await wrap(async () => await command_certificate(local_argv));
-    return;
-  }
-  if (command === "revoke") {
-    const optionsDef = [{ name: "certificateFile", type: String, defaultOption: true }, ...getOptions(["root", "CAFolder"])];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help || !local_argv.certificateFile)
-      return showHelp(
-        "revoke <certificateFile>",
-        "revoke a existing certificate",
-        optionsDef,
-        "$0 revoke my_certificate.pem"
-      );
-    async function revoke_certificate(certificate) {
-      await g_certificateAuthority.revokeCertificate(certificate, {});
-    }
-    await wrap(async () => {
-      const certificate = import_node_path7.default.resolve(local_argv.certificateFile);
-      warningLog(import_chalk7.default.yellow(" Certificate to revoke : "), import_chalk7.default.cyan(certificate));
-      if (!import_node_fs10.default.existsSync(certificate)) {
-        throw new Error(`cannot find certificate to revoke ${certificate}`);
-      }
-      await readConfiguration(local_argv);
-      await construct_CertificateAuthority2("");
-      await revoke_certificate(certificate);
-      warningLog("done ... ");
-      warningLog("  crl = ", g_certificateAuthority.revocationList);
-      warningLog("\nyou should now publish the new Certificate Revocation List");
+    this.#watchers.push(w);
+    await new Promise((resolve, _reject) => {
+      w.on("ready", () => {
+        unreffAll();
+        debugLog("ready");
+        debugLog([...index.keys()].map((k) => k.substring(0, 10)));
+        resolve();
+      });
     });
-    return;
   }
-  if (command === "csr") {
-    const optionsDef = [
-      ...getOptions(["root", "PKIFolder", "privateKey", "silent"]),
-      {
-        name: "applicationUri",
-        alias: "a",
-        type: String,
-        defaultValue: "urn:{hostname}:Node-OPCUA-Server",
-        description: "the application URI"
-      },
-      {
-        name: "output",
-        alias: "o",
-        type: String,
-        defaultValue: "my_certificate_signing_request.csr",
-        description: "the name of the generated signing_request"
-      },
-      {
-        name: "dns",
-        type: String,
-        defaultValue: "{hostname}",
-        description: "the list of valid domain name (comma separated)"
-      },
-      { name: "ip", type: String, defaultValue: "", description: "the list of valid IPs (comma separated)" },
-      {
-        name: "subject",
-        type: String,
-        defaultValue: "/CN=Certificate",
-        description: "the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )"
-      }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help) return showHelp("csr", "create a certificate signing request", optionsDef);
-    await wrap(async () => {
-      await readConfiguration(local_argv);
-      if (!import_node_fs10.default.existsSync(gLocalConfig.PKIFolder || "")) {
-        warningLog("PKI folder must exist");
-      }
-      await construct_CertificateManager();
-      if (!gLocalConfig.outputFile || import_node_fs10.default.existsSync(gLocalConfig.outputFile)) {
-        throw new Error(` File ${gLocalConfig.outputFile} already exist`);
-      }
-      gLocalConfig.privateKey = void 0;
-      gLocalConfig.subject = local_argv.subject && local_argv.subject.length > 1 ? local_argv.subject : gLocalConfig.subject;
-      const internal_csr_file = await certificateManager.createCertificateRequest(
-        gLocalConfig
-      );
-      if (!internal_csr_file) {
-        return;
-      }
-      if (!gLocalConfig.outputFile) {
-        warningLog("please specify a output file");
+  // make sure that all crls have been processed.
+  async #waitAndCheckCRLProcessingStatus() {
+    return new Promise((resolve, reject) => {
+      if (this.#pendingCrlToProcess === 0) {
+        setImmediate(resolve);
         return;
       }
-      const csr = await import_node_fs10.default.promises.readFile(internal_csr_file, "utf-8");
-      import_node_fs10.default.writeFileSync(gLocalConfig.outputFile || "", csr, "utf-8");
-      warningLog("Subject        = ", gLocalConfig.subject);
-      warningLog("applicationUri = ", gLocalConfig.applicationUri);
-      warningLog("altNames       = ", gLocalConfig.altNames);
-      warningLog("dns            = ", gLocalConfig.dns);
-      warningLog("ip             = ", gLocalConfig.ip);
-      warningLog("CSR file = ", gLocalConfig.outputFile);
-    });
-    return;
-  }
-  if (command === "sign") {
-    const optionsDef = [
-      ...getOptions(["root", "CAFolder", "silent"]),
-      { name: "csr", alias: "i", type: String, defaultValue: "my_certificate_signing_request.csr", description: "the csr" },
-      {
-        name: "output",
-        alias: "o",
-        type: String,
-        defaultValue: "my_certificate.pem",
-        description: "the name of the generated certificate"
-      },
-      { name: "validity", alias: "v", type: Number, defaultValue: 365, description: "the certificate validity in days" }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help || !local_argv.csr || !local_argv.output)
-      return showHelp("sign", "validate a certificate signing request and generate a certificate", optionsDef);
-    await wrap(async () => {
-      await readConfiguration(local_argv);
-      if (!import_node_fs10.default.existsSync(gLocalConfig.CAFolder || "")) {
-        throw new Error(`CA folder must exist:${gLocalConfig.CAFolder}`);
-      }
-      await construct_CertificateAuthority2("");
-      const csr_file = import_node_path7.default.resolve(local_argv.csr || "");
-      if (!import_node_fs10.default.existsSync(csr_file)) {
-        throw new Error(`Certificate signing request doesn't exist: ${csr_file}`);
-      }
-      const certificate = import_node_path7.default.resolve(local_argv.output || csr_file.replace(".csr", ".pem"));
-      if (import_node_fs10.default.existsSync(certificate)) {
-        throw new Error(` File ${certificate} already exist`);
+      if (this.#onCrlProcess) {
+        return reject(new Error("Internal Error"));
       }
-      await g_certificateAuthority.signCertificateRequest(
-        certificate,
-        csr_file,
-        gLocalConfig
-      );
-      (0, import_node_assert11.default)(typeof gLocalConfig.outputFile === "string");
-      import_node_fs10.default.writeFileSync(gLocalConfig.outputFile || "", import_node_fs10.default.readFileSync(certificate, "ascii"));
-    });
-    return;
-  }
-  if (command === "dump") {
-    const optionsDef = [
-      { name: "certificateFile", type: String, defaultOption: true },
-      { name: "help", alias: "h", type: Boolean }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help || !local_argv.certificateFile)
-      return showHelp("dump <certificateFile>", "display a certificate", optionsDef);
-    await wrap(async () => {
-      const data = await dumpCertificate(local_argv.certificateFile);
-      warningLog(data);
-    });
-    return;
-  }
-  if (command === "toder") {
-    const optionsDef = [
-      { name: "pemCertificate", type: String, defaultOption: true },
-      { name: "help", alias: "h", type: Boolean }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help || !local_argv.pemCertificate)
-      return showHelp("toder <pemCertificate>", "convert a certificate to a DER format with finger print", optionsDef);
-    await wrap(async () => {
-      await toDer(local_argv.pemCertificate);
+      this.#onCrlProcess = resolve;
     });
-    return;
-  }
-  if (command === "fingerprint") {
-    const optionsDef = [
-      { name: "certificateFile", type: String, defaultOption: true },
-      { name: "help", alias: "h", type: Boolean }
-    ];
-    const local_argv = (0, import_command_line_args.default)(optionsDef, { argv });
-    if (local_argv.help || !local_argv.certificateFile)
-      return showHelp("fingerprint <certificateFile>", "print the certificate fingerprint", optionsDef);
-    await wrap(async () => {
-      const certificate = local_argv.certificateFile;
-      const data = await fingerprint(certificate);
-      if (!data) return;
-      const s = data.split("=")[1].split(":").join("").trim();
-      warningLog(s);
-    });
-    return;
   }
-  console.log(`Unknown command: ${command}`);
+};
+
+// packages/node-opcua-pki/lib/pki/toolbox_pfx.ts
+var import_node_assert9 = __toESM(require("assert"));
+var import_node_fs10 = __toESM(require("fs"));
+var q2 = quote;
+var n3 = makePath;
+async function createPFX(options) {
+  const { certificateFile, privateKeyFile, outputFile, passphrase = "", caCertificateFiles } = options;
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(certificateFile), `Certificate file does not exist: ${certificateFile}`);
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(privateKeyFile), `Private key file does not exist: ${privateKeyFile}`);
+  let cmd = `pkcs12 -export`;
+  cmd += ` -in ${q2(n3(certificateFile))}`;
+  cmd += ` -inkey ${q2(n3(privateKeyFile))}`;
+  if (caCertificateFiles) {
+    for (const caFile of caCertificateFiles) {
+      (0, import_node_assert9.default)(import_node_fs10.default.existsSync(caFile), `CA certificate file does not exist: ${caFile}`);
+      cmd += ` -certfile ${q2(n3(caFile))}`;
+    }
+  }
+  cmd += ` -out ${q2(n3(outputFile))}`;
+  cmd += ` -passout pass:${passphrase}`;
+  await execute_openssl(cmd, {});
+}
+async function extractCertificateFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -clcerts -nokeys -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractPrivateKeyFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -nocerts -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractCACertificatesFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -cacerts -nokeys -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractAllFromPFX(options) {
+  const [certificate, privateKey, caCertificates] = await Promise.all([
+    extractCertificateFromPFX(options),
+    extractPrivateKeyFromPFX(options),
+    extractCACertificatesFromPFX(options)
+  ]);
+  return { certificate, privateKey, caCertificates };
+}
+async function convertPFXtoPEM(pfxFile, pemFile, passphrase = "") {
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -out ${q2(n3(pemFile))} -nodes -passin pass:${passphrase}`;
+  await execute_openssl(cmd, {});
+}
+async function dumpPFX(pfxFile, passphrase = "") {
+  (0, import_node_assert9.default)(import_node_fs10.default.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -info -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -3046,22 +2471,15 @@ ${epilog}`
   VerificationStatus,
   adjustApplicationUri,
   adjustDate,
-  certificateFileExist,
-  debugLog,
-  display,
-  displayChapter,
-  displayDebug,
-  displayError,
-  displaySubtitle,
-  displayTitle,
-  doDebug,
+  convertPFXtoPEM,
+  createPFX,
+  dumpPFX,
+  extractAllFromPFX,
+  extractCACertificatesFromPFX,
+  extractCertificateFromPFX,
+  extractPrivateKeyFromPFX,
   findIssuerCertificateInChain,
-  g_config,
   install_prerequisite,
-  makePath,
-  mkdirRecursiveSync,
-  pki_main,
-  quote,
-  warningLog
+  quote
 });
 //# sourceMappingURL=index.js.map