node-opcua-pki 6.3.0 → 6.5.0

package/dist/index.mjs

@@ -1,15 +1,7 @@
-// node_modules/tsup/assets/esm_shims.js
-import path from "path";
-import { fileURLToPath } from "url";
-var getFilename = () => fileURLToPath(import.meta.url);
-var getDirname = () => path.dirname(getFilename());
-var __dirname = /* @__PURE__ */ getDirname();
-var __filename = /* @__PURE__ */ getFilename();
-
 // packages/node-opcua-pki/lib/ca/certificate_authority.ts
 import assert6 from "assert";
 import fs6 from "fs";
-import path6 from "path";
+import path5 from "path";
 import chalk5 from "chalk";
 import {
   exploreCertificateSigningRequest,
@@ -43,7 +35,7 @@ function adjustApplicationUri(params) {
 // packages/node-opcua-pki/lib/toolbox/common2.ts
 import assert2 from "assert";
 import fs from "fs";
-import path2 from "path";
+import path from "path";
 import chalk from "chalk";
 
 // packages/node-opcua-pki/lib/toolbox/config.ts
@@ -85,7 +77,7 @@ function mkdirRecursiveSync(folder) {
 function makePath(folderName, filename) {
   let s;
   if (filename) {
-    s = path2.join(path2.normalize(folderName), filename);
+    s = path.join(path.normalize(folderName), filename);
   } else {
     assert2(folderName);
     s = folderName;
@@ -96,13 +88,6 @@ function makePath(folderName, filename) {
 
 // packages/node-opcua-pki/lib/toolbox/display.ts
 import chalk2 from "chalk";
-function displayChapter(str) {
-  const l = "                                                                                               ";
-  warningLog(`${chalk2.bgWhite(l)} `);
-  str = `        ${str}${l}`.substring(0, l.length);
-  warningLog(chalk2.bgWhite.cyan(str));
-  warningLog(`${chalk2.bgWhite(l)} `);
-}
 function displayTitle(str) {
   if (!g_config.silent) {
     warningLog("");
@@ -168,7 +153,7 @@ function processAltNames(params) {
 // packages/node-opcua-pki/lib/toolbox/with_openssl/create_certificate_signing_request.ts
 import assert5 from "assert";
 import fs5 from "fs";
-import path5 from "path";
+import path4 from "path";
 
 // packages/node-opcua-pki/lib/misc/subject.ts
 import { Subject } from "node-opcua-crypto";
@@ -185,7 +170,7 @@ import chalk4 from "chalk";
 import child_process from "child_process";
 import fs2 from "fs";
 import os from "os";
-import path3 from "path";
+import path2 from "path";
 import url from "url";
 import byline from "byline";
 import chalk3 from "chalk";
@@ -286,19 +271,19 @@ async function check_system_openssl_version() {
   return output;
 }
 async function install_and_check_win32_openssl_version() {
-  const downloadFolder = path3.join(os.tmpdir(), ".");
+  const downloadFolder = path2.join(os.tmpdir(), ".");
   function get_openssl_folder_win32() {
     if (process.env.LOCALAPPDATA) {
-      const userProgramFolder = path3.join(process.env.LOCALAPPDATA, "Programs");
+      const userProgramFolder = path2.join(process.env.LOCALAPPDATA, "Programs");
       if (fs2.existsSync(userProgramFolder)) {
-        return path3.join(userProgramFolder, "openssl");
+        return path2.join(userProgramFolder, "openssl");
       }
     }
-    return path3.join(process.cwd(), "openssl");
+    return path2.join(process.cwd(), "openssl");
   }
   function get_openssl_exec_path_win32() {
     const opensslFolder2 = get_openssl_folder_win32();
-    return path3.join(opensslFolder2, "openssl.exe");
+    return path2.join(opensslFolder2, "openssl.exe");
   }
   async function check_openssl_win32() {
     const opensslExecPath2 = get_openssl_exec_path_win32();
@@ -338,7 +323,7 @@ async function install_and_check_win32_openssl_version() {
   }
   async function download_openssl() {
     const url2 = win32or64() === 64 ? "https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-x64_86-win64.zip" : "https://github.com/node-opcua/node-opcua-pki/releases/download/2.14.2/openssl-1.0.2u-i386-win32.zip";
-    const outputFilename = path3.join(downloadFolder, path3.basename(url2));
+    const outputFilename = path2.join(downloadFolder, path2.basename(url2));
     warningLog(`downloading ${chalk3.yellow(url2)} to ${outputFilename}`);
     if (fs2.existsSync(outputFilename)) {
       return { downloadedFile: outputFilename };
@@ -403,7 +388,7 @@ async function install_and_check_win32_openssl_version() {
           if (err) {
             return reject(err);
           }
-          const file = path3.join(opensslFolder2, entry.fileName);
+          const file = path2.join(opensslFolder2, entry.fileName);
           if (doDebug2) {
             warningLog(" unzipping :", file);
           }
@@ -574,7 +559,7 @@ async function execute_openssl(cmd, options) {
 // packages/node-opcua-pki/lib/toolbox/with_openssl/toolbox.ts
 import assert4 from "assert";
 import fs4 from "fs";
-import path4 from "path";
+import path3 from "path";
 function openssl_require2DigitYearInDate() {
   if (!g_config.opensslVersion) {
     throw new Error(
@@ -587,26 +572,20 @@ g_config.opensslVersion = "";
 var _counter = 0;
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
-  const originalFilename = !path4.isAbsolute(configPath) ? path4.join(prePath, configPath) : configPath;
+  const originalFilename = !path3.isAbsolute(configPath) ? path3.join(prePath, configPath) : configPath;
   let staticConfig = fs4.readFileSync(originalFilename, { encoding: "utf8" });
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
   const staticConfigPath = `${configPath}.${process.pid}-${_counter++}.tmp`;
-  const temporaryConfigPath = !path4.isAbsolute(configPath) ? path4.join(prePath, staticConfigPath) : staticConfigPath;
+  const temporaryConfigPath = !path3.isAbsolute(configPath) ? path3.join(prePath, staticConfigPath) : staticConfigPath;
   fs4.writeFileSync(temporaryConfigPath, staticConfig);
   if (options?.cwd) {
-    return path4.relative(options.cwd, temporaryConfigPath);
+    return path3.relative(options.cwd, temporaryConfigPath);
   } else {
     return temporaryConfigPath;
   }
 }
-var q = quote;
-var n2 = makePath;
-async function getPublicKeyFromPrivateKey(privateKeyFilename, publicKeyFilename) {
-  assert4(fs4.existsSync(privateKeyFilename));
-  await execute_openssl(`rsa -pubout -in ${q(n2(privateKeyFilename))} -out ${q(n2(publicKeyFilename))}`, {});
-}
 function x509Date(date) {
   date = date || /* @__PURE__ */ new Date();
   const Y = date.getUTCFullYear();
@@ -624,45 +603,6 @@ function x509Date(date) {
     return `${w(Y, 4) + w(M, 2) + w(D, 2) + w(h, 2) + w(m, 2) + w(s, 2)}Z`;
   }
 }
-async function dumpCertificate(certificate) {
-  assert4(fs4.existsSync(certificate));
-  return await execute_openssl(`x509  -in ${q(n2(certificate))} -text  -noout`, {});
-}
-async function toDer(certificatePem) {
-  assert4(fs4.existsSync(certificatePem));
-  const certificateDer = certificatePem.replace(".pem", ".der");
-  return await execute_openssl(`x509   -outform der  -in ${certificatePem} -out ${certificateDer}`, {});
-}
-async function fingerprint(certificatePem) {
-  assert4(fs4.existsSync(certificatePem));
-  return await execute_openssl(`x509   -fingerprint  -noout  -in ${certificatePem}`, {});
-}
-
-// packages/node-opcua-pki/lib/toolbox/with_openssl/create_certificate_signing_request.ts
-var q2 = quote;
-var n3 = makePath;
-async function createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFilename, params) {
-  assert5(params);
-  assert5(params.rootDir);
-  assert5(params.configFile);
-  assert5(params.privateKey);
-  assert5(typeof params.privateKey === "string");
-  assert5(fs5.existsSync(params.configFile), `config file must exist ${params.configFile}`);
-  assert5(fs5.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
-  assert5(fs5.existsSync(params.rootDir), "RootDir key must exist");
-  assert5(typeof certificateSigningRequestFilename === "string");
-  processAltNames(params);
-  const configFile = generateStaticConfig(params.configFile, { cwd: params.rootDir });
-  const options = { cwd: params.rootDir, openssl_conf: path5.relative(params.rootDir, configFile) };
-  const configOption = ` -config ${q2(n3(configFile))}`;
-  const subject = params.subject ? new Subject(params.subject).toString() : void 0;
-  const subjectOptions = subject ? ` -subj "${subject}"` : "";
-  displaySubtitle("- Creating a Certificate Signing Request with openssl");
-  await execute_openssl(
-    "req -new  -sha256  -batch  -text " + configOption + " -key " + q2(n3(params.privateKey)) + subjectOptions + " -out " + q2(n3(certificateSigningRequestFilename)),
-    options
-  );
-}
 
 // packages/node-opcua-pki/lib/ca/templates/ca_config_template.cnf.ts
 var config = `#.........DO NOT MODIFY BY HAND .........................
@@ -800,45 +740,45 @@ var config2 = {
   forceCA: false,
   pkiDir: "INVALID"
 };
-var n4 = makePath;
-var q3 = quote;
+var n2 = makePath;
+var q = quote;
 function octetStringToIpAddress(a) {
   return parseInt(a.substring(0, 2), 16).toString() + "." + parseInt(a.substring(2, 4), 16).toString() + "." + parseInt(a.substring(4, 6), 16).toString() + "." + parseInt(a.substring(6, 8), 16).toString();
 }
 assert6(octetStringToIpAddress("c07b9179") === "192.123.145.121");
 async function construct_CertificateAuthority(certificateAuthority) {
   const subject = certificateAuthority.subject;
-  const caRootDir = path6.resolve(certificateAuthority.rootDir);
+  const caRootDir = path5.resolve(certificateAuthority.rootDir);
   async function make_folders() {
     mkdirRecursiveSync(caRootDir);
-    mkdirRecursiveSync(path6.join(caRootDir, "private"));
-    mkdirRecursiveSync(path6.join(caRootDir, "public"));
-    mkdirRecursiveSync(path6.join(caRootDir, "certs"));
-    mkdirRecursiveSync(path6.join(caRootDir, "crl"));
-    mkdirRecursiveSync(path6.join(caRootDir, "conf"));
+    mkdirRecursiveSync(path5.join(caRootDir, "private"));
+    mkdirRecursiveSync(path5.join(caRootDir, "public"));
+    mkdirRecursiveSync(path5.join(caRootDir, "certs"));
+    mkdirRecursiveSync(path5.join(caRootDir, "crl"));
+    mkdirRecursiveSync(path5.join(caRootDir, "conf"));
   }
   await make_folders();
   async function construct_default_files() {
-    const serial = path6.join(caRootDir, "serial");
+    const serial = path5.join(caRootDir, "serial");
     if (!fs6.existsSync(serial)) {
       await fs6.promises.writeFile(serial, "1000");
     }
-    const crlNumber = path6.join(caRootDir, "crlnumber");
+    const crlNumber = path5.join(caRootDir, "crlnumber");
     if (!fs6.existsSync(crlNumber)) {
       await fs6.promises.writeFile(crlNumber, "1000");
     }
-    const indexFile = path6.join(caRootDir, "index.txt");
+    const indexFile = path5.join(caRootDir, "index.txt");
     if (!fs6.existsSync(indexFile)) {
       await fs6.promises.writeFile(indexFile, "");
     }
   }
   await construct_default_files();
-  if (fs6.existsSync(path6.join(caRootDir, "private/cakey.pem")) && !config2.forceCA) {
+  if (fs6.existsSync(path5.join(caRootDir, "private/cakey.pem")) && !config2.forceCA) {
     debugLog("CA private key already exists ... skipping");
     return;
   }
   displayTitle("Create Certificate Authority (CA)");
-  const indexFileAttr = path6.join(caRootDir, "index.txt.attr");
+  const indexFileAttr = path5.join(caRootDir, "index.txt.attr");
   if (!fs6.existsSync(indexFileAttr)) {
     await fs6.promises.writeFile(indexFileAttr, "unique_subject = no");
   }
@@ -852,20 +792,20 @@ async function construct_CertificateAuthority(certificateAuthority) {
   processAltNames({});
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
-  const configOption = ` -config ${q3(n4(configFile))}`;
+  const configOption = ` -config ${q(n2(configFile))}`;
   const keySize = certificateAuthority.keySize;
-  const privateKeyFilename = path6.join(caRootDir, "private/cakey.pem");
-  const csrFilename = path6.join(caRootDir, "private/cakey.csr");
+  const privateKeyFilename = path5.join(caRootDir, "private/cakey.pem");
+  const csrFilename = path5.join(caRootDir, "private/cakey.csr");
   displayTitle(`Generate the CA private Key - ${keySize}`);
   await generatePrivateKeyFile(privateKeyFilename, keySize);
   displayTitle("Generate a certificate request for the CA key");
   await execute_openssl(
-    "req -new -sha256  -text  -extensions v3_ca" + configOption + " -key " + q3(n4(privateKeyFilename)) + " -out " + q3(n4(csrFilename)) + " " + subjectOpt,
+    "req -new -sha256  -text  -extensions v3_ca" + configOption + " -key " + q(n2(privateKeyFilename)) + " -out " + q(n2(csrFilename)) + " " + subjectOpt,
     options
   );
   displayTitle("Generate CA Certificate (self-signed)");
   await execute_openssl(
-    " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q3(n4(configFile)) + " -in private/cakey.csr  -signkey " + q3(n4(privateKeyFilename)) + " -out public/cacert.pem",
+    " x509 -sha256 -req -days 3650  -text  -extensions v3_ca -extfile " + q(n2(configFile)) + " -in private/cakey.csr  -signkey " + q(n2(privateKeyFilename)) + " -out public/cacert.pem",
     options
   );
   displaySubtitle("generate initial CRL (Certificate Revocation List)");
@@ -877,11 +817,14 @@ async function regenerateCrl(revocationList, configOption, options) {
   await execute_openssl(`ca -gencrl ${configOption} -out crl/revocation_list.crl`, options);
   await execute_openssl("crl  -in  crl/revocation_list.crl -out  crl/revocation_list.der  -outform der", options);
   displaySubtitle("Display (Certificate Revocation List)");
-  await execute_openssl(`crl  -in ${q3(n4(revocationList))} -text  -noout`, options);
+  await execute_openssl(`crl  -in ${q(n2(revocationList))} -text  -noout`, options);
 }
 var CertificateAuthority = class {
+  /** RSA key size used when generating the CA private key. */
   keySize;
+  /** Root filesystem path of the CA directory structure. */
   location;
+  /** X.500 subject of the CA certificate. */
   subject;
   constructor(options) {
     assert6(Object.prototype.hasOwnProperty.call(options, "location"));
@@ -890,33 +833,54 @@ var CertificateAuthority = class {
     this.keySize = options.keySize || 2048;
     this.subject = new Subject2(options.subject || defaultSubject);
   }
+  /** Absolute path to the CA root directory (alias for {@link location}). */
   get rootDir() {
     return this.location;
   }
+  /** Path to the OpenSSL configuration file (`conf/caconfig.cnf`). */
   get configFile() {
-    return path6.normalize(path6.join(this.rootDir, "./conf/caconfig.cnf"));
+    return path5.normalize(path5.join(this.rootDir, "./conf/caconfig.cnf"));
   }
+  /** Path to the CA certificate in PEM format (`public/cacert.pem`). */
   get caCertificate() {
     return makePath(this.rootDir, "./public/cacert.pem");
   }
   /**
-   * the file name where  the current Certificate Revocation List is stored (in DER format)
+   * Path to the current Certificate Revocation List in DER format.
+   * (`crl/revocation_list.der`)
    */
   get revocationListDER() {
     return makePath(this.rootDir, "./crl/revocation_list.der");
   }
   /**
-   * the file name where  the current Certificate Revocation List is stored (in PEM format)
+   * Path to the current Certificate Revocation List in PEM format.
+   * (`crl/revocation_list.crl`)
    */
   get revocationList() {
     return makePath(this.rootDir, "./crl/revocation_list.crl");
   }
+  /**
+   * Path to the concatenated CA certificate + CRL file.
+   * Used by OpenSSL for CRL-based verification.
+   */
   get caCertificateWithCrl() {
     return makePath(this.rootDir, "./public/cacertificate_with_crl.pem");
   }
+  /**
+   * Initialize the CA directory structure, generate the CA
+   * private key and self-signed certificate if they do not
+   * already exist.
+   */
   async initialize() {
     await construct_CertificateAuthority(this);
   }
+  /**
+   * Rebuild the combined CA certificate + CRL file.
+   *
+   * This concatenates the CA certificate with the current
+   * revocation list so that OpenSSL can verify certificates
+   * with CRL checking enabled.
+   */
   async constructCACertificateWithCRL() {
     const cacertWithCRL = this.caCertificateWithCrl;
     if (fs6.existsSync(this.revocationList)) {
@@ -928,6 +892,12 @@ var CertificateAuthority = class {
       await fs6.promises.writeFile(cacertWithCRL, fs6.readFileSync(this.caCertificate));
     }
   }
+  /**
+   * Append the CA certificate to a signed certificate file,
+   * creating a PEM certificate chain.
+   *
+   * @param certificate - path to the certificate file to extend
+   */
   async constructCertificateChain(certificate) {
     assert6(fs6.existsSync(certificate));
     assert6(fs6.existsSync(this.caCertificate));
@@ -938,6 +908,13 @@ var CertificateAuthority = class {
       //   + fs.readFileSync(this.revocationList)
     );
   }
+  /**
+   * Create a self-signed certificate using OpenSSL.
+   *
+   * @param certificateFile - output path for the signed certificate
+   * @param privateKey - path to the private key file
+   * @param params - certificate parameters (subject, validity, SANs)
+   */
   async createSelfSignedCertificate(certificateFile, privateKey, params) {
     assert6(typeof privateKey === "string");
     assert6(fs6.existsSync(privateKey));
@@ -959,28 +936,27 @@ var CertificateAuthority = class {
     const subjectOptions = subject && subject.length > 1 ? ` -subj ${subject} ` : "";
     displaySubtitle("- the certificate signing request");
     await execute_openssl(
-      "req  -new -sha256 -text " + configOption + subjectOptions + " -batch -key " + q3(n4(privateKey)) + " -out " + q3(n4(csrFile)),
+      "req  -new -sha256 -text " + configOption + subjectOptions + " -batch -key " + q(n2(privateKey)) + " -out " + q(n2(csrFile)),
       options
     );
     displaySubtitle("- creating the self-signed certificate");
     await execute_openssl(
-      "ca  -selfsign  -keyfile " + q3(n4(privateKey)) + " -startdate " + x509Date(params.startDate) + " -enddate " + x509Date(params.endDate) + " -batch -out " + q3(n4(certificateFile)) + " -in " + q3(n4(csrFile)),
+      "ca  -selfsign  -keyfile " + q(n2(privateKey)) + " -startdate " + x509Date(params.startDate) + " -enddate " + x509Date(params.endDate) + " -batch -out " + q(n2(certificateFile)) + " -in " + q(n2(csrFile)),
       options
     );
     displaySubtitle("- dump the certificate for a check");
-    await execute_openssl(`x509 -in ${q3(n4(certificateFile))}  -dates -fingerprint -purpose -noout`, {});
+    await execute_openssl(`x509 -in ${q(n2(certificateFile))}  -dates -fingerprint -purpose -noout`, {});
     displaySubtitle("- verify self-signed certificate");
-    await execute_openssl_no_failure(`verify -verbose -CAfile ${q3(n4(certificateFile))} ${q3(n4(certificateFile))}`, options);
+    await execute_openssl_no_failure(`verify -verbose -CAfile ${q(n2(certificateFile))} ${q(n2(certificateFile))}`, options);
     await fs6.promises.unlink(csrFile);
   }
   /**
-   * revoke a certificate and update the CRL
+   * Revoke a certificate and regenerate the CRL.
    *
-   * @method revokeCertificate
-   * @param certificate -  the certificate to revoke
-   * @param params
-   * @param [params.reason = "keyCompromise" {String}]
-   * @async
+   * @param certificate - path to the certificate file to revoke
+   * @param params - revocation parameters
+   * @param params.reason - CRL reason code
+   *   (default `"keyCompromise"`)
    */
   async revokeCertificate(certificate, params) {
     const crlReasons = [
@@ -999,33 +975,36 @@ var CertificateAuthority = class {
       openssl_conf: makePath(configFile)
     };
     setEnv("ALTNAME", "");
-    const randomFile = path6.join(this.rootDir, "random.rnd");
+    const randomFile = path5.join(this.rootDir, "random.rnd");
     setEnv("RANDFILE", randomFile);
-    const configOption = ` -config ${q3(n4(configFile))}`;
+    const configOption = ` -config ${q(n2(configFile))}`;
     const reason = params.reason || "keyCompromise";
     assert6(crlReasons.indexOf(reason) >= 0);
     displayTitle(`Revoking certificate  ${certificate}`);
     displaySubtitle("Revoke certificate");
-    await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q3(certificate)} -crl_reason ${reason}`, options);
+    await execute_openssl_no_failure(`ca -verbose ${configOption} -revoke ${q(certificate)} -crl_reason ${reason}`, options);
     await regenerateCrl(this.revocationList, configOption, options);
     displaySubtitle("Verify that certificate is revoked");
     await execute_openssl_no_failure(
-      "verify -verbose -CRLfile " + q3(n4(this.revocationList)) + " -CAfile " + q3(n4(this.caCertificate)) + " -crl_check " + q3(n4(certificate)),
+      "verify -verbose -CRLfile " + q(n2(this.revocationList)) + " -CAfile " + q(n2(this.caCertificate)) + " -crl_check " + q(n2(certificate)),
       options
     );
     displaySubtitle("Produce CRL in DER form ");
-    await execute_openssl(`crl  -in ${q3(n4(this.revocationList))} -out crl/revocation_list.der  -outform der`, options);
+    await execute_openssl(`crl  -in ${q(n2(this.revocationList))} -out crl/revocation_list.der  -outform der`, options);
     displaySubtitle("Produce CRL in PEM form ");
-    await execute_openssl(`crl  -in ${q3(n4(this.revocationList))} -out crl/revocation_list.pem  -outform pem -text `, options);
+    await execute_openssl(`crl  -in ${q(n2(this.revocationList))} -out crl/revocation_list.pem  -outform pem -text `, options);
   }
   /**
+   * Sign a Certificate Signing Request (CSR) with this CA.
+   *
+   * The signed certificate is written to `certificate`, and the
+   * CA certificate chain plus CRL are appended to form a
+   * complete certificate chain.
    *
-   * @param certificate            - the certificate filename to generate
-   * @param certificateSigningRequestFilename   - the certificate signing request
-   * @param params                 - parameters
-   * @param params.applicationUri  - the applicationUri
-   * @param params.startDate       - startDate of the certificate
-   * @param params.validity        - number of day of validity of the certificate
+   * @param certificate - output path for the signed certificate
+   * @param certificateSigningRequestFilename - path to the CSR
+   * @param params1 - signing parameters (validity, dates, SANs)
+   * @returns the path to the signed certificate
    */
   async signCertificateRequest(certificate, certificateSigningRequestFilename, params1) {
     await ensure_openssl_installed();
@@ -1043,12 +1022,12 @@ var CertificateAuthority = class {
     if (typeof applicationUri !== "string") {
       throw new Error("Cannot find applicationUri in CSR");
     }
-    const dns2 = csrInfo.extensionRequest.subjectAltName.dNSName || [];
+    const dns = csrInfo.extensionRequest.subjectAltName.dNSName || [];
     let ip = csrInfo.extensionRequest.subjectAltName.iPAddress || [];
     ip = ip.map(octetStringToIpAddress);
     const params = {
       applicationUri,
-      dns: dns2,
+      dns,
       ip
     };
     processAltNames(params);
@@ -1056,11 +1035,11 @@ var CertificateAuthority = class {
     displaySubtitle("- then we ask the authority to sign the certificate signing request");
     const configOption = ` -config ${configFile}`;
     await execute_openssl(
-      "ca " + configOption + " -startdate " + x509Date(params1.startDate) + " -enddate " + x509Date(params1.endDate) + " -batch -out " + q3(n4(certificate)) + " -in " + q3(n4(certificateSigningRequestFilename)),
+      "ca " + configOption + " -startdate " + x509Date(params1.startDate) + " -enddate " + x509Date(params1.endDate) + " -batch -out " + q(n2(certificate)) + " -in " + q(n2(certificateSigningRequestFilename)),
       options
     );
     displaySubtitle("- dump the certificate for a check");
-    await execute_openssl(`x509 -in ${q3(n4(certificate))}  -dates -fingerprint -purpose -noout`, options);
+    await execute_openssl(`x509 -in ${q(n2(certificate))}  -dates -fingerprint -purpose -noout`, options);
     displaySubtitle("- construct CA certificate with CRL");
     await this.constructCACertificateWithCRL();
     displaySubtitle("- construct certificate chain");
@@ -1069,6 +1048,11 @@ var CertificateAuthority = class {
     await this.verifyCertificate(certificate);
     return certificate;
   }
+  /**
+   * Verify a certificate against this CA.
+   *
+   * @param certificate - path to the certificate file to verify
+   */
   async verifyCertificate(certificate) {
     const isImplemented = false;
     if (isImplemented) {
@@ -1078,98 +1062,16 @@ var CertificateAuthority = class {
       const _configOption = ` -config ${configFile}`;
       _configOption;
       await execute_openssl_no_failure(
-        `verify -verbose  -CAfile ${q3(n4(this.caCertificateWithCrl))} ${q3(n4(certificate))}`,
+        `verify -verbose  -CAfile ${q(n2(this.caCertificateWithCrl))} ${q(n2(certificate))}`,
         options
       );
     }
   }
 };
 
-// packages/node-opcua-pki/lib/ca/crypto_create_CA.ts
-import assert11 from "assert";
-import fs10 from "fs";
-import { createRequire } from "module";
-import os4 from "os";
-import path8 from "path";
-import chalk7 from "chalk";
-import { CertificatePurpose as CertificatePurpose2, generatePrivateKeyFile as generatePrivateKeyFile3, Subject as Subject5 } from "node-opcua-crypto";
-
-// packages/node-opcua-pki/lib/misc/applicationurn.ts
-import assert7 from "assert";
-import { createHash } from "crypto";
-function makeApplicationUrn(hostname, suffix) {
-  let hostnameHash = hostname;
-  if (hostnameHash.length + 7 + suffix.length >= 64) {
-    hostnameHash = createHash("md5").update(hostname).digest("hex").substring(0, 16);
-  }
-  const applicationUrn = `urn:${hostnameHash}:${suffix}`;
-  assert7(applicationUrn.length <= 64);
-  return applicationUrn;
-}
-
-// packages/node-opcua-pki/lib/misc/hostname.ts
-import dns from "dns";
-import os3 from "os";
-import { promisify } from "util";
-function trim(str, length) {
-  if (!length) {
-    return str;
-  }
-  return str.substring(0, Math.min(str.length, length));
-}
-function fqdn(callback) {
-  const uqdn = os3.hostname();
-  dns.lookup(uqdn, { hints: dns.ADDRCONFIG }, (err1, ip) => {
-    if (err1) {
-      return callback(err1);
-    }
-    dns.lookupService(ip, 0, (err2, _fqdn) => {
-      if (err2) {
-        return callback(err2);
-      }
-      _fqdn = _fqdn.replace(".localdomain", "");
-      callback(null, _fqdn);
-    });
-  });
-}
-var _fullyQualifiedDomainNameInCache;
-async function extractFullyQualifiedDomainName() {
-  if (_fullyQualifiedDomainNameInCache) {
-    return _fullyQualifiedDomainNameInCache;
-  }
-  if (process.platform === "win32") {
-    const env = process.env;
-    _fullyQualifiedDomainNameInCache = env.COMPUTERNAME + (env.USERDNSDOMAIN && env.USERDNSDOMAIN?.length > 0 ? `.${env.USERDNSDOMAIN}` : "");
-  } else {
-    try {
-      _fullyQualifiedDomainNameInCache = await promisify(fqdn)();
-      if (_fullyQualifiedDomainNameInCache === "localhost") {
-        throw new Error("localhost not expected");
-      }
-      if (/sethostname/.test(_fullyQualifiedDomainNameInCache)) {
-        throw new Error("Detecting fqdn  on windows !!!");
-      }
-    } catch (_err) {
-      _fullyQualifiedDomainNameInCache = os3.hostname();
-    }
-  }
-  return _fullyQualifiedDomainNameInCache;
-}
-async function prepareFQDN() {
-  _fullyQualifiedDomainNameInCache = await extractFullyQualifiedDomainName();
-}
-function getFullyQualifiedDomainName(optional_max_length) {
-  if (!_fullyQualifiedDomainNameInCache) {
-    throw new Error("FullyQualifiedDomainName computation is not completed yet");
-  }
-  return _fullyQualifiedDomainNameInCache ? trim(_fullyQualifiedDomainNameInCache, optional_max_length) : "%FQDN%";
-}
-prepareFQDN();
-
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
-import assert10 from "assert";
 import fs9 from "fs";
-import path7 from "path";
+import path6 from "path";
 import { withLock } from "@ster5/global-mutex";
 import chalk6 from "chalk";
 import chokidar from "chokidar";
@@ -1188,18 +1090,18 @@ import {
 } from "node-opcua-crypto";
 
 // packages/node-opcua-pki/lib/toolbox/without_openssl/create_certificate_signing_request.ts
-import assert8 from "assert";
+import assert7 from "assert";
 import fs7 from "fs";
 import { createCertificateSigningRequest, pemToPrivateKey, Subject as Subject3 } from "node-opcua-crypto";
 async function createCertificateSigningRequestAsync(certificateSigningRequestFilename, params) {
-  assert8(params);
-  assert8(params.rootDir);
-  assert8(params.configFile);
-  assert8(params.privateKey);
-  assert8(typeof params.privateKey === "string");
-  assert8(fs7.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
-  assert8(fs7.existsSync(params.rootDir), "RootDir key must exist");
-  assert8(typeof certificateSigningRequestFilename === "string");
+  assert7(params);
+  assert7(params.rootDir);
+  assert7(params.configFile);
+  assert7(params.privateKey);
+  assert7(typeof params.privateKey === "string");
+  assert7(fs7.existsSync(params.privateKey), `Private key must exist${params.privateKey}`);
+  assert7(fs7.existsSync(params.rootDir), "RootDir key must exist");
+  assert7(typeof certificateSigningRequestFilename === "string");
   const subject = params.subject ? new Subject3(params.subject).toString() : void 0;
   displaySubtitle("- Creating a Certificate Signing Request with subtile");
   const privateKeyPem = await fs7.promises.readFile(params.privateKey, "utf-8");
@@ -1218,7 +1120,7 @@ async function createCertificateSigningRequestAsync(certificateSigningRequestFil
 }
 
 // packages/node-opcua-pki/lib/toolbox/without_openssl/create_self_signed_certificate.ts
-import assert9 from "assert";
+import assert8 from "assert";
 import fs8 from "fs";
 import {
   CertificatePurpose,
@@ -1228,17 +1130,17 @@ import {
 } from "node-opcua-crypto";
 async function createSelfSignedCertificateAsync(certificate, params) {
   params.purpose = params.purpose || CertificatePurpose.ForApplication;
-  assert9(params.purpose, "Please provide a Certificate Purpose");
-  assert9(fs8.existsSync(params.configFile));
-  assert9(fs8.existsSync(params.rootDir));
-  assert9(fs8.existsSync(params.privateKey));
+  assert8(params.purpose, "Please provide a Certificate Purpose");
+  assert8(fs8.existsSync(params.configFile));
+  assert8(fs8.existsSync(params.rootDir));
+  assert8(fs8.existsSync(params.privateKey));
   if (!params.subject) {
     throw Error("Missing subject");
   }
-  assert9(typeof params.applicationUri === "string");
-  assert9(Array.isArray(params.dns));
+  assert8(typeof params.applicationUri === "string");
+  assert8(Array.isArray(params.dns));
   adjustDate(params);
-  assert9(Object.prototype.hasOwnProperty.call(params, "validity"));
+  assert8(Object.prototype.hasOwnProperty.call(params, "validity"));
   let subject = new Subject4(params.subject);
   subject = subject.toString();
   const purpose = params.purpose;
@@ -1269,6 +1171,12 @@ var simple_config_template_cnf_default = config3;
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
 var configurationFileSimpleTemplate = simple_config_template_cnf_default;
 var fsWriteFile = fs9.promises.writeFile;
+function getOrComputeInfo(entry) {
+  if (!entry.info) {
+    entry.info = exploreCertificate(entry.certificate);
+  }
+  return entry.info;
+}
 var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   VerificationStatus2["BadCertificateInvalid"] = "BadCertificateInvalid";
   VerificationStatus2["BadSecurityChecksFailed"] = "BadSecurityChecksFailed";
@@ -1289,28 +1197,28 @@ var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   return VerificationStatus2;
 })(VerificationStatus || {});
 function makeFingerprint(certificate) {
-  return makeSHA1Thumbprint(certificate).toString("hex");
+  const chain = split_der(certificate);
+  return makeSHA1Thumbprint(chain[0]).toString("hex");
 }
 function short(stringToShorten) {
   return stringToShorten.substring(0, 10);
 }
 var forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
 function buildIdealCertificateName(certificate) {
-  const fingerprint2 = makeFingerprint(certificate);
+  const fingerprint = makeFingerprint(certificate);
   try {
     const commonName = exploreCertificate(certificate).tbsCertificate.subject.commonName || "";
     const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
-    return `${sanitizedCommonName}[${fingerprint2}]`;
+    return `${sanitizedCommonName}[${fingerprint}]`;
   } catch (_err) {
-    return `invalid_certificate_[${fingerprint2}]`;
+    return `invalid_certificate_[${fingerprint}]`;
   }
 }
 function findMatchingIssuerKey(entries, wantedIssuerKey) {
-  const selected = entries.filter(({ certificate }) => {
-    const info = exploreCertificate(certificate);
+  return entries.filter((entry) => {
+    const info = getOrComputeInfo(entry);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
-  return selected;
 }
 function isSelfSigned2(info) {
   return info.tbsCertificate.extensions?.subjectKeyIdentifier === info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
@@ -1353,104 +1261,184 @@ var CertificateManagerState = /* @__PURE__ */ ((CertificateManagerState2) => {
   CertificateManagerState2[CertificateManagerState2["Disposed"] = 4] = "Disposed";
   return CertificateManagerState2;
 })(CertificateManagerState || {});
-var CertificateManager = class {
+var CertificateManager = class _CertificateManager {
+  // ── Global instance registry ─────────────────────────────────
+  // Tracks all initialized CertificateManager instances so their
+  // file watchers can be closed automatically on process exit,
+  // even if the consumer forgets to call dispose().
+  static #activeInstances = /* @__PURE__ */ new Set();
+  static #cleanupInstalled = false;
+  static #installProcessCleanup() {
+    if (_CertificateManager.#cleanupInstalled) return;
+    _CertificateManager.#cleanupInstalled = true;
+    const closeDanglingWatchers = () => {
+      for (const cm of _CertificateManager.#activeInstances) {
+        for (const w of cm.#watchers) {
+          try {
+            w.close();
+          } catch {
+          }
+        }
+        cm.#watchers.splice(0);
+        cm.state = 4 /* Disposed */;
+      }
+      _CertificateManager.#activeInstances.clear();
+    };
+    process.on("beforeExit", closeDanglingWatchers);
+    for (const signal of ["SIGINT", "SIGTERM"]) {
+      process.once(signal, () => {
+        closeDanglingWatchers();
+        process.exit();
+      });
+    }
+  }
+  /**
+   * Dispose **all** active CertificateManager instances,
+   * closing their file watchers and freeing resources.
+   *
+   * This is mainly useful in test tear-down to ensure the
+   * Node.js process can exit cleanly.
+   */
+  static async disposeAll() {
+    const instances = [..._CertificateManager.#activeInstances];
+    await Promise.all(instances.map((cm) => cm.dispose()));
+  }
+  /**
+   * Assert that all CertificateManager instances have been
+   * properly disposed. Throws an Error listing the locations
+   * of any leaked instances.
+   *
+   * Intended for use in test `afterAll()` / `afterEach()`
+   * hooks to catch missing `dispose()` calls early.
+   *
+   * @example
+   * ```ts
+   * after(() => {
+   *     CertificateManager.checkAllDisposed();
+   * });
+   * ```
+   */
+  static checkAllDisposed() {
+    if (_CertificateManager.#activeInstances.size === 0) return;
+    const locations = [..._CertificateManager.#activeInstances].map((cm) => cm.rootDir);
+    throw new Error(
+      `${_CertificateManager.#activeInstances.size} CertificateManager instance(s) not disposed:
+  - ${locations.join("\n  - ")}`
+    );
+  }
+  // ─────────────────────────────────────────────────────────────
+  /**
+   * When `true` (the default), any certificate that is not
+   * already in the trusted or rejected store is automatically
+   * written to the rejected folder the first time it is seen.
+   */
   untrustUnknownCertificate = true;
+  /** Current lifecycle state of this instance. */
   state = 0 /* Uninitialized */;
+  /** @deprecated Use {@link folderPollingInterval} instead (typo fix). */
   folderPoolingInterval = 5e3;
+  /** Interval in milliseconds for file-system polling (when enabled). */
+  get folderPollingInterval() {
+    return this.folderPoolingInterval;
+  }
+  set folderPollingInterval(value) {
+    this.folderPoolingInterval = value;
+  }
+  /** RSA key size used when generating the private key. */
   keySize;
-  location;
-  _watchers = [];
-  _readCertificatesCalled = false;
-  _filenameToHash = {};
-  _thumbs = {
-    rejected: {},
-    trusted: {},
+  #location;
+  #watchers = [];
+  #readCertificatesCalled = false;
+  #filenameToHash = /* @__PURE__ */ new Map();
+  #initializingPromise;
+  #thumbs = {
+    rejected: /* @__PURE__ */ new Map(),
+    trusted: /* @__PURE__ */ new Map(),
     issuers: {
-      certs: {}
+      certs: /* @__PURE__ */ new Map()
     },
-    crl: {},
-    issuersCrl: {}
+    crl: /* @__PURE__ */ new Map(),
+    issuersCrl: /* @__PURE__ */ new Map()
   };
+  /**
+   * Create a new CertificateManager.
+   *
+   * The constructor creates the root directory if it does not
+   * exist but does **not** initialise the PKI store — call
+   * {@link initialize} before using any other method.
+   *
+   * @param options - configuration options
+   */
   constructor(options) {
     options.keySize = options.keySize || 2048;
-    assert10(Object.prototype.hasOwnProperty.call(options, "location"));
-    assert10(Object.prototype.hasOwnProperty.call(options, "keySize"));
-    assert10(this.state === 0 /* Uninitialized */);
-    this.location = makePath(options.location, "");
+    if (!options.location) {
+      throw new Error("CertificateManager: missing 'location' option");
+    }
+    this.#location = makePath(options.location, "");
     this.keySize = options.keySize;
     mkdirRecursiveSync(options.location);
-    if (!fs9.existsSync(this.location)) {
-      throw new Error(`CertificateManager cannot access location ${this.location}`);
+    if (!fs9.existsSync(this.#location)) {
+      throw new Error(`CertificateManager cannot access location ${this.#location}`);
     }
   }
+  /** Path to the OpenSSL configuration file. */
   get configFile() {
-    return path7.join(this.rootDir, "own/openssl.cnf");
+    return path6.join(this.rootDir, "own/openssl.cnf");
   }
+  /** Root directory of the PKI store. */
   get rootDir() {
-    return this.location;
+    return this.#location;
   }
+  /** Path to the private key file (`own/private/private_key.pem`). */
   get privateKey() {
-    return path7.join(this.rootDir, "own/private/private_key.pem");
+    return path6.join(this.rootDir, "own/private/private_key.pem");
   }
+  /** Path to the OpenSSL random seed file. */
   get randomFile() {
-    return path7.join(this.rootDir, "./random.rnd");
-  }
-  /**
-   * returns the certificate status trusted/rejected
-   * @param certificate
-   */
-  async getCertificateStatus(certificate) {
-    await this.initialize();
-    let status = await this._checkRejectedOrTrusted(certificate);
-    if (status === "unknown") {
-      assert10(certificate instanceof Buffer);
-      const pem = toPem(certificate, "CERTIFICATE");
-      const fingerprint2 = makeFingerprint(certificate);
-      const filename = path7.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
-      await fs9.promises.writeFile(filename, pem);
-      this._thumbs.rejected[fingerprint2] = {
-        certificate,
-        filename
-      };
-      status = "rejected";
-    }
-    return status;
+    return path6.join(this.rootDir, "./random.rnd");
   }
   /**
    * Move a certificate to the rejected store.
-   * If the certificate was previously trusted, it will be moved.
+   * If the certificate was previously trusted, it will be removed from the trusted folder.
    * @param certificate - the DER-encoded certificate
    */
   async rejectCertificate(certificate) {
-    await this._moveCertificate(certificate, "rejected");
+    await this.#moveCertificate(certificate, "rejected");
   }
   /**
    * Move a certificate to the trusted store.
-   * If the certificate was previously rejected, it will be moved.
+   * If the certificate was previously rejected, it will be removed from the rejected folder.
    * @param certificate - the DER-encoded certificate
    */
   async trustCertificate(certificate) {
-    await this._moveCertificate(certificate, "trusted");
+    await this.#moveCertificate(certificate, "trusted");
   }
   /** Path to the rejected certificates folder. */
   get rejectedFolder() {
-    return path7.join(this.rootDir, "rejected");
+    return path6.join(this.rootDir, "rejected");
   }
   /** Path to the trusted certificates folder. */
   get trustedFolder() {
-    return path7.join(this.rootDir, "trusted/certs");
+    return path6.join(this.rootDir, "trusted/certs");
   }
   /** Path to the trusted CRL folder. */
   get crlFolder() {
-    return path7.join(this.rootDir, "trusted/crl");
+    return path6.join(this.rootDir, "trusted/crl");
   }
   /** Path to the issuer (CA) certificates folder. */
   get issuersCertFolder() {
-    return path7.join(this.rootDir, "issuers/certs");
+    return path6.join(this.rootDir, "issuers/certs");
   }
   /** Path to the issuer CRL folder. */
   get issuersCrlFolder() {
-    return path7.join(this.rootDir, "issuers/crl");
+    return path6.join(this.rootDir, "issuers/crl");
+  }
+  /** Path to the own certificate folder. */
+  get ownCertFolder() {
+    return path6.join(this.rootDir, "own/certs");
+  }
+  get ownPrivateFolder() {
+    return path6.join(this.rootDir, "own/private");
   }
   /**
    * Check if a certificate is in the trusted store.
@@ -1461,33 +1449,27 @@ var CertificateManager = class {
    *   or `"BadCertificateInvalid"` if the certificate cannot be parsed.
    */
   async isCertificateTrusted(certificate) {
-    const fingerprint2 = makeFingerprint(certificate);
-    const certificateInTrust = this._thumbs.trusted[fingerprint2]?.certificate;
-    if (certificateInTrust) {
+    const fingerprint = makeFingerprint(certificate);
+    if (this.#thumbs.trusted.has(fingerprint)) {
       return "Good";
-    } else {
-      const certificateInRejected = this._thumbs.rejected[fingerprint2];
-      if (!certificateInRejected) {
-        const certificateFilenameInRejected = path7.join(
-          this.rejectedFolder,
-          `${buildIdealCertificateName(certificate)}.pem`
-        );
-        if (!this.untrustUnknownCertificate) {
-          return "Good";
-        }
-        try {
-          const _certificateInfo = exploreCertificateInfo(certificate);
-          _certificateInfo;
-        } catch (_err) {
-          return "BadCertificateInvalid";
-        }
-        debugLog("certificate has never been seen before and is now rejected (untrusted) ", certificateFilenameInRejected);
-        await fsWriteFile(certificateFilenameInRejected, toPem(certificate, "CERTIFICATE"));
+    }
+    if (!this.#thumbs.rejected.has(fingerprint)) {
+      if (!this.untrustUnknownCertificate) {
+        return "Good";
+      }
+      try {
+        exploreCertificateInfo(certificate);
+      } catch (_err) {
+        return "BadCertificateInvalid";
       }
-      return "BadCertificateUntrusted";
+      const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
+      debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
+      await fsWriteFile(filename, toPem(certificate, "CERTIFICATE"));
+      this.#thumbs.rejected.set(fingerprint, { certificate, filename });
     }
+    return "BadCertificateUntrusted";
   }
-  async _innerVerifyCertificateAsync(certificate, _isIssuer, level, options) {
+  async #innerVerifyCertificateAsync(certificate, _isIssuer, level, options) {
     if (level >= 5) {
       return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
     }
@@ -1522,7 +1504,7 @@ var CertificateManager = class {
         } else {
           debugLog(" the issuer certificate has been found in the issuer.cert folder !");
         }
-        const issuerStatus = await this._innerVerifyCertificateAsync(issuerCertificate, true, level + 1, options);
+        const issuerStatus = await this.#innerVerifyCertificateAsync(issuerCertificate, true, level + 1, options);
         if (issuerStatus === "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */) {
           return "BadCertificateIssuerRevocationUnknown" /* BadCertificateIssuerRevocationUnknown */;
         }
@@ -1556,7 +1538,7 @@ var CertificateManager = class {
           debugLog("revokedStatus", revokedStatus);
           return revokedStatus;
         }
-        const issuerTrustedStatus = await this._checkRejectedOrTrusted(issuerCertificate);
+        const issuerTrustedStatus = await this.#checkRejectedOrTrusted(issuerCertificate);
         debugLog("issuerTrustedStatus", issuerTrustedStatus);
         if (issuerTrustedStatus === "unknown") {
           hasTrustedIssuer = false;
@@ -1575,12 +1557,14 @@ var CertificateManager = class {
         debugLog("revokedStatus of self signed certificate:", revokedStatus);
       }
     }
-    const status = await this._checkRejectedOrTrusted(certificate);
+    const status = await this.#checkRejectedOrTrusted(certificate);
     if (status === "rejected") {
-      return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
+      if (!(options.acceptCertificateWithValidIssuerChain && hasValidIssuer && hasTrustedIssuer)) {
+        return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
+      }
     }
     const _c2 = chain[1] ? exploreCertificateInfo(chain[1]) : "non";
-    _c2;
+    debugLog("chain[1] info=", _c2);
     const certificateInfo = exploreCertificateInfo(certificate);
     const now = /* @__PURE__ */ new Date();
     let isTimeInvalid = false;
@@ -1603,7 +1587,6 @@ var CertificateManager = class {
     if (status === "trusted") {
       return isTimeInvalid ? "BadCertificateTimeInvalid" /* BadCertificateTimeInvalid */ : "Good" /* Good */;
     }
-    assert10(status === "unknown");
     if (hasIssuerKey) {
       if (!hasTrustedIssuer) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
@@ -1611,78 +1594,103 @@ var CertificateManager = class {
       if (!hasValidIssuer) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
       }
+      if (!options.acceptCertificateWithValidIssuerChain) {
+        return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
+      }
       return isTimeInvalid ? "BadCertificateTimeInvalid" /* BadCertificateTimeInvalid */ : "Good" /* Good */;
     } else {
       return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
     }
   }
+  /**
+   * Internal verification hook called by {@link verifyCertificate}.
+   *
+   * Subclasses can override this to inject additional validation
+   * logic (e.g. application-level policy checks) while still
+   * delegating to the default chain/CRL/trust verification.
+   *
+   * @param certificate - the DER-encoded certificate to verify
+   * @param options - verification options forwarded from the
+   *   public API
+   * @returns the verification status code
+   */
   async verifyCertificateAsync(certificate, options) {
-    const status1 = await this._innerVerifyCertificateAsync(certificate, false, 0, options);
+    const status1 = await this.#innerVerifyCertificateAsync(certificate, false, 0, options);
     return status1;
   }
   /**
-   * Verify certificate validity
-   * @method verifyCertificate
-   * @param certificate
+   * Verify a certificate against the PKI trust store.
+   *
+   * This performs a full validation including trust status,
+   * issuer chain, CRL revocation checks, and time validity.
+   *
+   * @param certificate - the DER-encoded certificate to verify
+   * @param options - optional flags to relax validation rules
+   * @returns the verification status code
    */
   async verifyCertificate(certificate, options) {
     if (!certificate) {
       return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
     }
-    return await this.verifyCertificateAsync(certificate, options || {});
+    try {
+      const status = await this.verifyCertificateAsync(certificate, options || {});
+      return status;
+    } catch (error) {
+      warningLog(`verifyCertificate error: ${error.message}`);
+      return "BadCertificateInvalid" /* BadCertificateInvalid */;
+    }
   }
-  /*
-   *
-   *  PKI
-   *    +---> trusted
-   *    +---> rejected
-   *    +---> own
-   *           +---> cert
-   *           +---> own
+  /**
+   * Initialize the PKI directory structure, generate the
+   * private key (if missing), and start file-system watchers.
    *
+   * This method is idempotent — subsequent calls are no-ops.
+   * It must be called before any certificate operations.
    */
   async initialize() {
     if (this.state !== 0 /* Uninitialized */) {
       return;
     }
     this.state = 1 /* Initializing */;
-    await this._initialize();
+    this.#initializingPromise = this.#initialize();
+    await this.#initializingPromise;
+    this.#initializingPromise = void 0;
     this.state = 2 /* Initialized */;
+    _CertificateManager.#activeInstances.add(this);
+    _CertificateManager.#installProcessCleanup();
   }
-  async _initialize() {
+  async #initialize() {
     this.state = 1 /* Initializing */;
-    const pkiDir = this.location;
+    const pkiDir = this.#location;
     mkdirRecursiveSync(pkiDir);
-    mkdirRecursiveSync(path7.join(pkiDir, "own"));
-    mkdirRecursiveSync(path7.join(pkiDir, "own/certs"));
-    mkdirRecursiveSync(path7.join(pkiDir, "own/private"));
-    mkdirRecursiveSync(path7.join(pkiDir, "rejected"));
-    mkdirRecursiveSync(path7.join(pkiDir, "trusted"));
-    mkdirRecursiveSync(path7.join(pkiDir, "trusted/certs"));
-    mkdirRecursiveSync(path7.join(pkiDir, "trusted/crl"));
-    mkdirRecursiveSync(path7.join(pkiDir, "issuers"));
-    mkdirRecursiveSync(path7.join(pkiDir, "issuers/certs"));
-    mkdirRecursiveSync(path7.join(pkiDir, "issuers/crl"));
+    mkdirRecursiveSync(path6.join(pkiDir, "own"));
+    mkdirRecursiveSync(path6.join(pkiDir, "own/certs"));
+    mkdirRecursiveSync(path6.join(pkiDir, "own/private"));
+    mkdirRecursiveSync(path6.join(pkiDir, "rejected"));
+    mkdirRecursiveSync(path6.join(pkiDir, "trusted"));
+    mkdirRecursiveSync(path6.join(pkiDir, "trusted/certs"));
+    mkdirRecursiveSync(path6.join(pkiDir, "trusted/crl"));
+    mkdirRecursiveSync(path6.join(pkiDir, "issuers"));
+    mkdirRecursiveSync(path6.join(pkiDir, "issuers/certs"));
+    mkdirRecursiveSync(path6.join(pkiDir, "issuers/crl"));
     if (!fs9.existsSync(this.configFile) || !fs9.existsSync(this.privateKey)) {
       return await this.withLock2(async () => {
-        assert10(this.state !== 3 /* Disposing */);
-        if (this.state === 4 /* Disposed */) {
+        if (this.state === 3 /* Disposing */ || this.state === 4 /* Disposed */) {
           return;
         }
-        assert10(this.state === 1 /* Initializing */);
         if (!fs9.existsSync(this.configFile)) {
           fs9.writeFileSync(this.configFile, configurationFileSimpleTemplate);
         }
         if (!fs9.existsSync(this.privateKey)) {
           debugLog("generating private key ...");
           await generatePrivateKeyFile2(this.privateKey, this.keySize);
-          await this._readCertificates();
+          await this.#readCertificates();
         } else {
-          await this._readCertificates();
+          await this.#readCertificates();
         }
       });
     } else {
-      await this._readCertificates();
+      await this.#readCertificates();
     }
   }
   /**
@@ -1699,37 +1707,69 @@ var CertificateManager = class {
       return;
     }
     if (this.state === 1 /* Initializing */) {
-      await new Promise((resolve) => setTimeout(resolve, 100));
-      return await this.dispose();
+      if (this.#initializingPromise) {
+        await this.#initializingPromise;
+      }
     }
     try {
       this.state = 3 /* Disposing */;
-      await Promise.all(this._watchers.map((w) => w.close()));
-      this._watchers.forEach((w) => {
+      await Promise.all(this.#watchers.map((w) => w.close()));
+      this.#watchers.forEach((w) => {
         w.removeAllListeners();
       });
-      this._watchers.splice(0);
+      this.#watchers.splice(0);
     } finally {
       this.state = 4 /* Disposed */;
+      _CertificateManager.#activeInstances.delete(this);
     }
   }
+  /**
+   * Force a full re-scan of all PKI folders, rebuilding
+   * the in-memory `_thumbs` index from scratch.
+   *
+   * Call this after external processes have modified the
+   * PKI folders (e.g. via `writeTrustList` or CLI tools)
+   * to ensure the CertificateManager sees the latest
+   * state without waiting for file-system events.
+   */
+  async reloadCertificates() {
+    await Promise.all(this.#watchers.map((w) => w.close()));
+    for (const w of this.#watchers) {
+      w.removeAllListeners();
+    }
+    this.#watchers.splice(0);
+    this.#thumbs.rejected.clear();
+    this.#thumbs.trusted.clear();
+    this.#thumbs.issuers.certs.clear();
+    this.#thumbs.crl.clear();
+    this.#thumbs.issuersCrl.clear();
+    this.#filenameToHash.clear();
+    this.#readCertificatesCalled = false;
+    await this.#readCertificates();
+  }
   async withLock2(action) {
-    const lockFileName = path7.join(this.rootDir, "mutex.lock");
+    const lockFileName = path6.join(this.rootDir, "mutex.lock");
     return withLock({ fileToLock: lockFileName }, async () => {
       return await action();
     });
   }
   /**
+   * Create a self-signed certificate for this PKI's private key.
    *
-   * create a self-signed certificate for the CertificateManager private key
+   * The certificate is written to `params.outputFile` or
+   * `own/certs/self_signed_certificate.pem` by default.
    *
+   * @param params - certificate parameters (subject, SANs,
+   *   validity, etc.)
    */
   async createSelfSignedCertificate(params) {
-    assert10(typeof params.applicationUri === "string", "expecting applicationUri");
+    if (typeof params.applicationUri !== "string") {
+      throw new Error("createSelfSignedCertificate: expecting applicationUri to be a string");
+    }
     if (!fs9.existsSync(this.privateKey)) {
       throw new Error(`Cannot find private key ${this.privateKey}`);
     }
-    let certificateFilename = path7.join(this.rootDir, "own/certs/self_signed_certificate.pem");
+    let certificateFilename = path6.join(this.rootDir, "own/certs/self_signed_certificate.pem");
     certificateFilename = params.outputFile || certificateFilename;
     const _params = params;
     _params.rootDir = this.rootDir;
@@ -1740,22 +1780,31 @@ var CertificateManager = class {
       await createSelfSignedCertificate(certificateFilename, _params);
     });
   }
+  /**
+   * Create a Certificate Signing Request (CSR) using this
+   * PKI's private key and configuration.
+   *
+   * The CSR file is written to `own/certs/` with a timestamped
+   * filename.
+   *
+   * @param params - CSR parameters (subject, SANs)
+   * @returns the filesystem path to the generated CSR file
+   */
   async createCertificateRequest(params) {
-    assert10(params);
+    if (!params) {
+      throw new Error("params is required");
+    }
     const _params = params;
     if (Object.prototype.hasOwnProperty.call(_params, "rootDir")) {
       throw new Error("rootDir should not be specified ");
     }
-    assert10(!_params.rootDir);
-    assert10(!_params.configFile);
-    assert10(!_params.privateKey);
-    _params.rootDir = path7.resolve(this.rootDir);
-    _params.configFile = path7.resolve(this.configFile);
-    _params.privateKey = path7.resolve(this.privateKey);
+    _params.rootDir = path6.resolve(this.rootDir);
+    _params.configFile = path6.resolve(this.configFile);
+    _params.privateKey = path6.resolve(this.privateKey);
     return await this.withLock2(async () => {
       const now = /* @__PURE__ */ new Date();
-      const today2 = `${now.toISOString().slice(0, 10)}_${now.getTime()}`;
-      const certificateSigningRequestFilename = path7.join(this.rootDir, "own/certs", `certificate_${today2}.csr`);
+      const today = `${now.toISOString().slice(0, 10)}_${now.getTime()}`;
+      const certificateSigningRequestFilename = path6.join(this.rootDir, "own/certs", `certificate_${today}.csr`);
       await createCertificateSigningRequestAsync(certificateSigningRequestFilename, _params);
       return certificateSigningRequestFilename;
     });
@@ -1776,13 +1825,13 @@ var CertificateManager = class {
       }
     }
     const pemCertificate = toPem(certificate, "CERTIFICATE");
-    const fingerprint2 = makeFingerprint(certificate);
-    if (this._thumbs.issuers.certs[fingerprint2]) {
+    const fingerprint = makeFingerprint(certificate);
+    if (this.#thumbs.issuers.certs.has(fingerprint)) {
       return "Good" /* Good */;
     }
-    const filename = path7.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);
+    const filename = path6.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);
     await fs9.promises.writeFile(filename, pemCertificate, "ascii");
-    this._thumbs.issuers.certs[fingerprint2] = { certificate, filename };
+    this.#thumbs.issuers.certs.set(fingerprint, { certificate, filename });
     if (addInTrustList) {
       await this.trustCertificate(certificate);
     }
@@ -1796,18 +1845,18 @@ var CertificateManager = class {
   async addRevocationList(crl, target = "issuers") {
     return await this.withLock2(async () => {
       try {
-        const index = target === "trusted" ? this._thumbs.crl : this._thumbs.issuersCrl;
+        const index = target === "trusted" ? this.#thumbs.crl : this.#thumbs.issuersCrl;
         const folder = target === "trusted" ? this.crlFolder : this.issuersCrlFolder;
         const crlInfo = exploreCertificateRevocationList(crl);
         const key = crlInfo.tbsCertList.issuerFingerprint;
-        if (!index[key]) {
-          index[key] = { crls: [], serialNumbers: {} };
+        if (!index.has(key)) {
+          index.set(key, { crls: [], serialNumbers: {} });
         }
         const pemCertificate = toPem(crl, "X509 CRL");
-        const filename = path7.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
+        const filename = path6.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
         await fs9.promises.writeFile(filename, pemCertificate, "ascii");
-        await this._on_crl_file_added(index, filename);
-        await this.waitAndCheckCRLProcessingStatus();
+        await this.#onCrlFileAdded(index, filename);
+        await this.#waitAndCheckCRLProcessingStatus();
         return "Good" /* Good */;
       } catch (err) {
         debugLog(err);
@@ -1826,9 +1875,9 @@ var CertificateManager = class {
       try {
         const files = await fs9.promises.readdir(folder);
         for (const file of files) {
-          const ext = path7.extname(file).toLowerCase();
+          const ext = path6.extname(file).toLowerCase();
           if (ext === ".crl" || ext === ".pem" || ext === ".der") {
-            await fs9.promises.unlink(path7.join(folder, file));
+            await fs9.promises.unlink(path6.join(folder, file));
           }
         }
       } catch (err) {
@@ -1836,15 +1885,13 @@ var CertificateManager = class {
           throw err;
         }
       }
-      for (const key of Object.keys(index)) {
-        delete index[key];
-      }
+      index.clear();
     };
     if (target === "issuers" || target === "all") {
-      await clearFolder(this.issuersCrlFolder, this._thumbs.issuersCrl);
+      await clearFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl);
     }
     if (target === "trusted" || target === "all") {
-      await clearFolder(this.crlFolder, this._thumbs.crl);
+      await clearFolder(this.crlFolder, this.#thumbs.crl);
     }
   }
   /**
@@ -1853,9 +1900,9 @@ var CertificateManager = class {
    * @param thumbprint - hex-encoded SHA-1 thumbprint (lowercase)
    */
   async hasIssuer(thumbprint) {
-    await this._readCertificates();
+    await this.#readCertificates();
     const normalized = thumbprint.toLowerCase();
-    return Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, normalized);
+    return this.#thumbs.issuers.certs.has(normalized);
   }
   /**
    * Remove a trusted certificate identified by its SHA-1 thumbprint.
@@ -1865,9 +1912,9 @@ var CertificateManager = class {
    * @returns the removed certificate buffer, or `null` if not found
    */
   async removeTrustedCertificate(thumbprint) {
-    await this._readCertificates();
+    await this.#readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.trusted[normalized];
+    const entry = this.#thumbs.trusted.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1878,7 +1925,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.trusted[normalized];
+    this.#thumbs.trusted.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1889,9 +1936,9 @@ var CertificateManager = class {
    * @returns the removed certificate buffer, or `null` if not found
    */
   async removeIssuer(thumbprint) {
-    await this._readCertificates();
+    await this.#readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.issuers.certs[normalized];
+    const entry = this.#thumbs.issuers.certs.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1902,7 +1949,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.issuers.certs[normalized];
+    this.#thumbs.issuers.certs.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1915,7 +1962,7 @@ var CertificateManager = class {
     const issuerInfo = exploreCertificate(issuerCertificate);
     const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;
     const processIndex = async (index) => {
-      const crlData = index[issuerFingerprint];
+      const crlData = index.get(issuerFingerprint);
       if (!crlData) return;
       for (const crlEntry of crlData.crls) {
         try {
@@ -1926,13 +1973,13 @@ var CertificateManager = class {
           }
         }
       }
-      delete index[issuerFingerprint];
+      index.delete(issuerFingerprint);
     };
     if (target === "issuers" || target === "all") {
-      await processIndex(this._thumbs.issuersCrl);
+      await processIndex(this.#thumbs.issuersCrl);
     }
     if (target === "trusted" || target === "all") {
-      await processIndex(this._thumbs.crl);
+      await processIndex(this.#thumbs.crl);
     }
   }
   /**
@@ -1964,9 +2011,23 @@ var CertificateManager = class {
       return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
     if (certificates.length > 1) {
+      const issuerFolder = this.issuersCertFolder;
+      const issuerThumbprints = /* @__PURE__ */ new Set();
+      const files = await fs9.promises.readdir(issuerFolder);
+      for (const file of files) {
+        const ext = path6.extname(file).toLowerCase();
+        if (ext === ".pem" || ext === ".der") {
+          try {
+            const issuerCert = readCertificate(path6.join(issuerFolder, file));
+            const fp = makeFingerprint(issuerCert);
+            issuerThumbprints.add(fp);
+          } catch (_err) {
+          }
+        }
+      }
       for (const issuerCert of certificates.slice(1)) {
         const thumbprint = makeFingerprint(issuerCert);
-        if (!Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, thumbprint)) {
+        if (!issuerThumbprints.has(thumbprint)) {
           return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
         }
       }
@@ -1987,8 +2048,8 @@ var CertificateManager = class {
    *   signed by this issuer.
    */
   async isIssuerInUseByTrustedCertificate(issuerCertificate) {
-    await this._readCertificates();
-    for (const entry of Object.values(this._thumbs.trusted)) {
+    await this.#readCertificates();
+    for (const entry of this.#thumbs.trusted.values()) {
       if (!entry.certificate) continue;
       try {
         if (verifyCertificateSignature(entry.certificate, issuerCertificate)) {
@@ -2023,7 +2084,7 @@ var CertificateManager = class {
       debugLog("Certificate has no extension 3");
       return null;
     }
-    const issuerCertificates = Object.values(this._thumbs.issuers.certs);
+    const issuerCertificates = [...this.#thumbs.issuers.certs.values()];
     const selectedIssuerCertificates = findMatchingIssuerKey(issuerCertificates, wantedIssuerKey);
     if (selectedIssuerCertificates.length > 0) {
       if (selectedIssuerCertificates.length > 1) {
@@ -2031,7 +2092,7 @@ var CertificateManager = class {
       }
       return selectedIssuerCertificates[0].certificate || null;
     }
-    const trustedCertificates = Object.values(this._thumbs.trusted);
+    const trustedCertificates = [...this.#thumbs.trusted.values()];
     const selectedTrustedCertificates = findMatchingIssuerKey(trustedCertificates, wantedIssuerKey);
     if (selectedTrustedCertificates.length > 1) {
       warningLog(
@@ -2043,53 +2104,78 @@ var CertificateManager = class {
     return selectedTrustedCertificates.length > 0 ? selectedTrustedCertificates[0].certificate : null;
   }
   /**
+   *
+   * check if the certificate explicitly appear in the trust list, the reject list or none.
+   * In case of being in the reject and trusted list at the same time is consider: rejected.
    * @internal
    * @private
    */
-  async _checkRejectedOrTrusted(certificate) {
-    assert10(certificate instanceof Buffer);
-    const fingerprint2 = makeFingerprint(certificate);
-    debugLog("_checkRejectedOrTrusted fingerprint ", short(fingerprint2));
-    await this._readCertificates();
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.rejected, fingerprint2)) {
+  async #checkRejectedOrTrusted(certificate) {
+    const fingerprint = makeFingerprint(certificate);
+    debugLog("#checkRejectedOrTrusted fingerprint ", short(fingerprint));
+    await this.#readCertificates();
+    if (this.#thumbs.rejected.has(fingerprint)) {
       return "rejected";
     }
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.trusted, fingerprint2)) {
+    if (this.#thumbs.trusted.has(fingerprint)) {
       return "trusted";
     }
     return "unknown";
   }
-  async _moveCertificate(certificate, newStatus) {
-    assert10(certificate instanceof Buffer);
-    const fingerprint2 = makeFingerprint(certificate);
-    const status = await this.getCertificateStatus(certificate);
-    debugLog("_moveCertificate", fingerprint2.substring(0, 10), "from", status, "to", newStatus);
-    assert10(status === "rejected" || status === "trusted");
-    if (status !== newStatus) {
-      const indexSrc = status === "rejected" ? this._thumbs.rejected : this._thumbs.trusted;
-      const certificateSrc = indexSrc[fingerprint2]?.filename;
-      if (!certificateSrc) {
-        debugLog(" cannot find certificate ", fingerprint2.substring(0, 10), " in", this._thumbs, [status]);
-        throw new Error("internal");
+  async #moveCertificate(certificate, newStatus) {
+    await this.withLock2(async () => {
+      const fingerprint = makeFingerprint(certificate);
+      let status = await this.#checkRejectedOrTrusted(certificate);
+      if (status === "unknown") {
+        const pem = toPem(certificate, "CERTIFICATE");
+        const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
+        await fs9.promises.writeFile(filename, pem);
+        this.#thumbs.rejected.set(fingerprint, { certificate, filename });
+        status = "rejected";
       }
-      const destFolder = newStatus === "rejected" ? this.rejectedFolder : newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
-      const certificateDest = path7.join(destFolder, path7.basename(certificateSrc));
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "old name", certificateSrc);
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "new name", certificateDest);
-      await fs9.promises.rename(certificateSrc, certificateDest);
-      delete indexSrc[fingerprint2];
-      const indexDest = newStatus === "rejected" ? this._thumbs.rejected : newStatus === "trusted" ? this._thumbs.trusted : this._thumbs.rejected;
-      indexDest[fingerprint2] = {
-        certificate,
-        filename: certificateDest
-      };
-    }
+      debugLog("#moveCertificate", fingerprint.substring(0, 10), "from", status, "to", newStatus);
+      if (status !== "rejected" && status !== "trusted") {
+        throw new Error(`#moveCertificate: unexpected status '${status}' for certificate ${fingerprint.substring(0, 10)}`);
+      }
+      if (status !== newStatus) {
+        const indexSrc = status === "rejected" ? this.#thumbs.rejected : this.#thumbs.trusted;
+        const srcEntry = indexSrc.get(fingerprint);
+        if (!srcEntry) {
+          debugLog(" cannot find certificate ", fingerprint.substring(0, 10), " in", status);
+          throw new Error(`#moveCertificate: certificate ${fingerprint.substring(0, 10)} not found in ${status} index`);
+        }
+        const destFolder = newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
+        const certificateDest = path6.join(destFolder, path6.basename(srcEntry.filename));
+        debugLog("#moveCertificate", fingerprint.substring(0, 10), "old name", srcEntry.filename);
+        debugLog("#moveCertificate", fingerprint.substring(0, 10), "new name", certificateDest);
+        await fs9.promises.rename(srcEntry.filename, certificateDest);
+        indexSrc.delete(fingerprint);
+        const indexDest = newStatus === "trusted" ? this.#thumbs.trusted : this.#thumbs.rejected;
+        indexDest.set(fingerprint, { certificate, filename: certificateDest });
+      }
+    });
   }
-  _findAssociatedCRLs(issuerCertificate) {
+  #findAssociatedCRLs(issuerCertificate) {
     const issuerCertificateInfo = exploreCertificate(issuerCertificate);
     const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;
-    return this._thumbs.issuersCrl[key] ? this._thumbs.issuersCrl[key] : this._thumbs.crl[key] ? this._thumbs.crl[key] : null;
+    return this.#thumbs.issuersCrl.get(key) ?? this.#thumbs.crl.get(key) ?? null;
   }
+  /**
+   * Check whether a certificate has been revoked by its issuer's CRL.
+   *
+   * - Self-signed certificates are never considered revoked.
+   * - If no `issuerCertificate` is provided, the method attempts
+   *   to find it via {@link findIssuerCertificate}.
+   *
+   * @param certificate - the DER-encoded certificate to check
+   * @param issuerCertificate - optional issuer certificate; looked
+   *   up automatically when omitted
+   * @returns `Good` if not revoked, `BadCertificateRevoked` if the
+   *   serial number appears in a CRL,
+   *   `BadCertificateRevocationUnknown` if no CRL is available,
+   *   or `BadCertificateChainIncomplete` if the issuer cannot be
+   *   found.
+   */
   async isCertificateRevoked(certificate, issuerCertificate) {
     if (isSelfSigned3(certificate)) {
       return "Good" /* Good */;
@@ -2100,913 +2186,251 @@ var CertificateManager = class {
     if (!issuerCertificate) {
       return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
     }
-    const crls = this._findAssociatedCRLs(issuerCertificate);
+    const crls = this.#findAssociatedCRLs(issuerCertificate);
     if (!crls) {
       return "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */;
     }
     const certInfo = exploreCertificate(certificate);
     const serialNumber = certInfo.tbsCertificate.serialNumber || certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial || "";
     const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint || "<unknown>";
-    const crl2 = this._thumbs.crl[key] || null;
+    const crl2 = this.#thumbs.crl.get(key) ?? null;
     if (crls.serialNumbers[serialNumber] || crl2?.serialNumbers[serialNumber]) {
       return "BadCertificateRevoked" /* BadCertificateRevoked */;
     }
     return "Good" /* Good */;
   }
-  _pending_crl_to_process = 0;
-  _on_crl_process;
-  queue = [];
-  _on_crl_file_added(index, filename) {
-    this.queue.push({ index, filename });
-    this._pending_crl_to_process += 1;
-    if (this._pending_crl_to_process === 1) {
-      this._process_next_crl();
+  #pendingCrlToProcess = 0;
+  #onCrlProcess;
+  #queue = [];
+  #onCrlFileAdded(index, filename) {
+    this.#queue.push({ index, filename });
+    this.#pendingCrlToProcess += 1;
+    if (this.#pendingCrlToProcess === 1) {
+      this.#processNextCrl();
     }
   }
-  async _process_next_crl() {
+  async #processNextCrl() {
     try {
-      const nextCRL = this.queue.shift();
+      const nextCRL = this.#queue.shift();
       if (!nextCRL) return;
       const { index, filename } = nextCRL;
       const crl = await readCertificateRevocationList(filename);
       const crlInfo = exploreCertificateRevocationList(crl);
       debugLog(chalk6.cyan("add CRL in folder "), filename);
-      const fingerprint2 = crlInfo.tbsCertList.issuerFingerprint;
-      index[fingerprint2] = index[fingerprint2] || {
-        crls: [],
-        serialNumbers: {}
-      };
-      index[fingerprint2].crls.push({ crlInfo, filename });
-      const serialNumbers = index[fingerprint2].serialNumbers;
+      const fingerprint = crlInfo.tbsCertList.issuerFingerprint;
+      if (!index.has(fingerprint)) {
+        index.set(fingerprint, { crls: [], serialNumbers: {} });
+      }
+      const data = index.get(fingerprint) || { crls: [], serialNumbers: {} };
+      data.crls.push({ crlInfo, filename });
       for (const revokedCertificate of crlInfo.tbsCertList.revokedCertificates) {
         const serialNumber = revokedCertificate.userCertificate;
-        if (!serialNumbers[serialNumber]) {
-          serialNumbers[serialNumber] = revokedCertificate.revocationDate;
+        if (!data.serialNumbers[serialNumber]) {
+          data.serialNumbers[serialNumber] = revokedCertificate.revocationDate;
         }
       }
-      debugLog(chalk6.cyan("CRL"), fingerprint2, "serial numbers = ", Object.keys(serialNumbers));
+      debugLog(chalk6.cyan("CRL"), fingerprint, "serial numbers = ", Object.keys(data.serialNumbers));
     } catch (err) {
       debugLog("CRL filename error =");
       debugLog(err);
     }
-    this._pending_crl_to_process -= 1;
-    if (this._pending_crl_to_process === 0) {
-      if (this._on_crl_process) {
-        this._on_crl_process();
-        this._on_crl_process = void 0;
+    this.#pendingCrlToProcess -= 1;
+    if (this.#pendingCrlToProcess === 0) {
+      if (this.#onCrlProcess) {
+        this.#onCrlProcess();
+        this.#onCrlProcess = void 0;
       }
     } else {
-      this._process_next_crl();
+      this.#processNextCrl();
     }
   }
-  async _readCertificates() {
-    if (this._readCertificatesCalled) {
+  async #readCertificates() {
+    if (this.#readCertificatesCalled) {
       return;
     }
-    this._readCertificatesCalled = true;
-    const options = {
-      usePolling: true,
-      interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)),
-      persistent: false,
-      awaitWriteFinish: {
-        stabilityThreshold: 2e3,
-        pollInterval: 600
-      }
+    this.#readCertificatesCalled = true;
+    const usePolling = process.env.OPCUA_PKI_USE_POLLING === "true";
+    const chokidarOptions = {
+      usePolling,
+      ...usePolling ? { interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)) } : {},
+      persistent: false
     };
-    async function _walkCRLFiles(folder, index) {
-      await new Promise((resolve, _reject) => {
-        const w = chokidar.watch(folder, options);
-        w.on("unlink", (filename, stat) => {
-          filename;
-          stat;
-        });
-        w.on("add", (filename, stat) => {
-          stat;
-          this._on_crl_file_added(index, filename);
-        });
-        w.on("change", (path9, stat) => {
-          debugLog("change in folder ", folder, path9, stat);
-        });
-        this._watchers.push(w);
-        w.on("ready", () => {
-          resolve();
-        });
+    const createUnreffedWatcher = (folder) => {
+      const capturedHandles = [];
+      const origWatch = fs9.watch;
+      fs9.watch = ((...args) => {
+        const handle = origWatch.apply(fs9, args);
+        capturedHandles.push(handle);
+        return handle;
       });
-    }
-    async function _walkAllFiles(folder, index) {
-      const w = chokidar.watch(folder, options);
-      w.on("unlink", (filename, stat) => {
-        stat;
-        debugLog(chalk6.cyan(`unlink in folder ${folder}`), filename);
-        const h = this._filenameToHash[filename];
-        if (h && index[h]) {
-          delete index[h];
+      const w = chokidar.watch(folder, chokidarOptions);
+      const unreffAll = () => {
+        fs9.watch = origWatch;
+        for (const h of capturedHandles) {
+          h.unref();
         }
-      });
-      w.on("add", (filename, stat) => {
-        stat;
-        debugLog(chalk6.cyan(`add in folder ${folder}`), filename);
-        try {
-          const certificate = readCertificate(filename);
-          const info = exploreCertificate(certificate);
-          const fingerprint2 = makeFingerprint(certificate);
-          index[fingerprint2] = {
-            certificate,
-            filename
-          };
-          this._filenameToHash[filename] = fingerprint2;
-          debugLog(
-            chalk6.magenta("CERT"),
-            info.tbsCertificate.subjectFingerPrint,
-            info.tbsCertificate.serialNumber,
-            info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
-          );
-        } catch (err) {
-          debugLog(`Walk files in folder ${folder} with file ${filename}`);
-          debugLog(err);
+      };
+      return { w, capturedHandles, unreffAll };
+    };
+    const promises = [
+      this.#walkAllFiles(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher),
+      this.#walkAllFiles(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher),
+      this.#walkAllFiles(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher),
+      this.#walkCRLFiles(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher),
+      this.#walkCRLFiles(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher)
+    ];
+    await Promise.all(promises);
+    await this.#waitAndCheckCRLProcessingStatus();
+  }
+  async #walkCRLFiles(folder, index, createUnreffedWatcher) {
+    await new Promise((resolve, _reject) => {
+      const { w, unreffAll } = createUnreffedWatcher(folder);
+      w.on("unlink", (filename) => {
+        for (const [key, data] of index.entries()) {
+          data.crls = data.crls.filter((c) => c.filename !== filename);
+          if (data.crls.length === 0) {
+            index.delete(key);
+          }
         }
       });
-      w.on("change", (path9, stat) => {
-        stat;
-        debugLog("change in folder ", folder, path9);
+      w.on("add", (filename) => {
+        this.#onCrlFileAdded(index, filename);
       });
-      this._watchers.push(w);
-      await new Promise((resolve, _reject) => {
-        w.on("ready", () => {
-          debugLog("ready");
-          debugLog(Object.entries(index).map((kv) => kv[0].substring(0, 10)));
-          resolve();
-        });
+      w.on("change", (changedPath) => {
+        debugLog("change in folder ", folder, changedPath);
+      });
+      this.#watchers.push(w);
+      w.on("ready", () => {
+        unreffAll();
+        resolve();
       });
-    }
-    const promises = [
-      _walkAllFiles.bind(this, this.trustedFolder, this._thumbs.trusted)(),
-      _walkAllFiles.bind(this, this.issuersCertFolder, this._thumbs.issuers.certs)(),
-      _walkAllFiles.bind(this, this.rejectedFolder, this._thumbs.rejected)(),
-      _walkCRLFiles.bind(this, this.crlFolder, this._thumbs.crl)(),
-      _walkCRLFiles.bind(this, this.issuersCrlFolder, this._thumbs.issuersCrl)()
-    ];
-    await Promise.all(promises);
-    await this.waitAndCheckCRLProcessingStatus();
-  }
-  // make sure that all crls have been processed.
-  async waitAndCheckCRLProcessingStatus() {
-    return new Promise((resolve, reject) => {
-      if (this._pending_crl_to_process === 0) {
-        setImmediate(resolve);
-        return;
-      }
-      if (this._on_crl_process) {
-        return reject(new Error("Internal Error"));
-      }
-      this._on_crl_process = resolve;
-    });
-  }
-};
-
-// packages/node-opcua-pki/lib/ca/crypto_create_CA.ts
-import commandLineArgs from "command-line-args";
-import commandLineUsage from "command-line-usage";
-var epilog = "Copyright (c) sterfive - node-opcua - 2017-2026";
-function get_offset_date(date, nbDays) {
-  const d = new Date(date.getTime());
-  d.setDate(d.getDate() + nbDays);
-  return d;
-}
-var today = /* @__PURE__ */ new Date();
-var yesterday = get_offset_date(today, -1);
-var two_years_ago = get_offset_date(today, -2 * 365);
-var next_year = get_offset_date(today, 365);
-var gLocalConfig = {};
-var g_certificateAuthority;
-async function construct_CertificateAuthority2(subject) {
-  assert11(typeof gLocalConfig.CAFolder === "string", "expecting a CAFolder in config");
-  assert11(typeof gLocalConfig.keySize === "number", "expecting a keySize in config");
-  if (!g_certificateAuthority) {
-    g_certificateAuthority = new CertificateAuthority({
-      keySize: gLocalConfig.keySize,
-      location: gLocalConfig.CAFolder,
-      subject
-    });
-    await g_certificateAuthority.initialize();
-  }
-}
-var certificateManager;
-async function construct_CertificateManager() {
-  assert11(typeof gLocalConfig.PKIFolder === "string", "expecting a PKIFolder in config");
-  if (!certificateManager) {
-    certificateManager = new CertificateManager({
-      keySize: gLocalConfig.keySize,
-      location: gLocalConfig.PKIFolder
     });
-    await certificateManager.initialize();
   }
-}
-function default_template_content() {
-  if (process.pkg?.entrypoint) {
-    const a = fs10.readFileSync(path8.join(__dirname, "../../bin/pki_config.example.js"), "utf8");
-    return a;
-  }
-  function find_default_config_template() {
-    const rootFolder = find_module_root_folder();
-    const configName = "pki_config.example.js";
-    let default_config_template2 = path8.join(rootFolder, "bin", configName);
-    if (!fs10.existsSync(default_config_template2)) {
-      default_config_template2 = path8.join(__dirname, "..", configName);
-      if (!fs10.existsSync(default_config_template2)) {
-        default_config_template2 = path8.join(__dirname, `../bin/${configName}`);
+  async #walkAllFiles(folder, index, createUnreffedWatcher) {
+    const { w, unreffAll } = createUnreffedWatcher(folder);
+    w.on("unlink", (filename) => {
+      debugLog(chalk6.cyan(`unlink in folder ${folder}`), filename);
+      const h = this.#filenameToHash.get(filename);
+      if (h && index.has(h)) {
+        index.delete(h);
       }
-    }
-    return default_config_template2;
-  }
-  const default_config_template = find_default_config_template();
-  assert11(fs10.existsSync(default_config_template));
-  const default_config_template_content = fs10.readFileSync(default_config_template, "utf8");
-  return default_config_template_content;
-}
-function find_module_root_folder() {
-  let rootFolder = path8.join(__dirname);
-  for (let i = 0; i < 4; i++) {
-    if (fs10.existsSync(path8.join(rootFolder, "package.json"))) {
-      return rootFolder;
-    }
-    rootFolder = path8.join(rootFolder, "..");
-  }
-  assert11(fs10.existsSync(path8.join(rootFolder, "package.json")), "root folder must have a package.json file");
-  return rootFolder;
-}
-async function readConfiguration(argv) {
-  if (argv.silent) {
-    g_config.silent = true;
-  } else {
-    g_config.silent = false;
-  }
-  const fqdn2 = await extractFullyQualifiedDomainName();
-  const hostname = os4.hostname();
-  let certificateDir;
-  function performSubstitution(str) {
-    str = str.replace("{CWD}", process.cwd());
-    if (certificateDir) {
-      str = str.replace("{root}", certificateDir);
-    }
-    if (gLocalConfig?.PKIFolder) {
-      str = str.replace("{PKIFolder}", gLocalConfig.PKIFolder);
-    }
-    str = str.replace("{hostname}", hostname);
-    str = str.replace("%FQDN%", fqdn2);
-    return str;
-  }
-  function prepare(file) {
-    const tmp = path8.resolve(performSubstitution(file));
-    return makePath(tmp);
-  }
-  certificateDir = argv.root;
-  assert11(typeof certificateDir === "string");
-  certificateDir = prepare(certificateDir);
-  mkdirRecursiveSync(certificateDir);
-  assert11(fs10.existsSync(certificateDir));
-  const default_config = path8.join(certificateDir, "config.js");
-  if (!fs10.existsSync(default_config)) {
-    debugLog(chalk7.yellow(" Creating default g_config file "), chalk7.cyan(default_config));
-    const default_config_template_content = default_template_content();
-    fs10.writeFileSync(default_config, default_config_template_content);
-  } else {
-    debugLog(chalk7.yellow(" using  g_config file "), chalk7.cyan(default_config));
-  }
-  if (!fs10.existsSync(default_config)) {
-    debugLog(chalk7.redBright(" cannot find config file ", default_config));
-  }
-  const defaultRandomFile = path8.join(path8.dirname(default_config), "random.rnd");
-  setEnv("RANDFILE", defaultRandomFile);
-  const _require = createRequire(__filename);
-  gLocalConfig = _require(default_config);
-  gLocalConfig.subject = new Subject5(gLocalConfig.subject || "");
-  if (argv.subject) {
-    gLocalConfig.subject = new Subject5(argv.subject);
-  }
-  if (!gLocalConfig.subject.commonName) {
-    throw new Error("subject must have a Common Name");
-  }
-  gLocalConfig.certificateDir = certificateDir;
-  let CAFolder = argv.CAFolder || path8.join(certificateDir, "CA");
-  CAFolder = prepare(CAFolder);
-  gLocalConfig.CAFolder = CAFolder;
-  gLocalConfig.PKIFolder = path8.join(gLocalConfig.certificateDir, "PKI");
-  if (argv.PKIFolder) {
-    gLocalConfig.PKIFolder = prepare(argv.PKIFolder);
-  }
-  gLocalConfig.PKIFolder = prepare(gLocalConfig.PKIFolder);
-  if (argv.privateKey) {
-    gLocalConfig.privateKey = prepare(argv.privateKey);
-  }
-  if (argv.applicationUri) {
-    gLocalConfig.applicationUri = performSubstitution(argv.applicationUri);
-  }
-  if (argv.output) {
-    gLocalConfig.outputFile = argv.output;
-  }
-  gLocalConfig.altNames = [];
-  if (argv.altNames) {
-    gLocalConfig.altNames = argv.altNames.split(";");
-  }
-  gLocalConfig.dns = [getFullyQualifiedDomainName()];
-  if (argv.dns) {
-    gLocalConfig.dns = argv.dns.split(",").map(performSubstitution);
-  }
-  gLocalConfig.ip = [];
-  if (argv.ip) {
-    gLocalConfig.ip = argv.ip.split(",");
-  }
-  if (argv.keySize) {
-    const v = argv.keySize;
-    if (v !== 1024 && v !== 2048 && v !== 3072 && v !== 4096) {
-      throw new Error(`invalid keysize specified ${v} should be 1024,2048,3072 or 4096`);
-    }
-    gLocalConfig.keySize = argv.keySize;
-  }
-  if (argv.validity) {
-    gLocalConfig.validity = argv.validity;
-  }
-}
-async function createDefaultCertificate(base_name, prefix, key_length, applicationUri, dev) {
-  assert11(key_length === 1024 || key_length === 2048 || key_length === 3072 || key_length === 4096);
-  const private_key_file = makePath(base_name, `${prefix}key_${key_length}.pem`);
-  const public_key_file = makePath(base_name, `${prefix}public_key_${key_length}.pub`);
-  const certificate_file = makePath(base_name, `${prefix}cert_${key_length}.pem`);
-  const certificate_file_outofdate = makePath(base_name, `${prefix}cert_${key_length}_outofdate.pem`);
-  const certificate_file_not_active_yet = makePath(base_name, `${prefix}cert_${key_length}_not_active_yet.pem`);
-  const certificate_revoked = makePath(base_name, `${prefix}cert_${key_length}_revoked.pem`);
-  const self_signed_certificate_file = makePath(base_name, `${prefix}selfsigned_cert_${key_length}.pem`);
-  const fqdn2 = getFullyQualifiedDomainName();
-  const hostname = os4.hostname();
-  const dns2 = [
-    // for conformance reason, localhost shall not be present in the DNS field of COP
-    // ***FORBIDEN** "localhost",
-    getFullyQualifiedDomainName()
-  ];
-  if (hostname !== fqdn2) {
-    dns2.push(hostname);
-  }
-  const ip = [];
-  async function createCertificateIfNotExist(certificate, private_key, applicationUri2, startDate, validity) {
-    if (fs10.existsSync(certificate)) {
-      warningLog(chalk7.yellow("         certificate"), chalk7.cyan(certificate), chalk7.yellow(" already exists => skipping"));
-      return "";
-    } else {
-      return await createCertificate(certificate, private_key, applicationUri2, startDate, validity);
-    }
-  }
-  async function createCertificate(certificate, privateKey, applicationUri2, startDate, validity) {
-    const certificateSigningRequestFile = `${certificate}.csr`;
-    const configFile = makePath(base_name, "../certificates/PKI/own/openssl.cnf");
-    const dns3 = [os4.hostname()];
-    const ip2 = ["127.0.0.1"];
-    const params = {
-      applicationUri: applicationUri2,
-      privateKey,
-      rootDir: ".",
-      configFile,
-      dns: dns3,
-      ip: ip2,
-      purpose: CertificatePurpose2.ForApplication
-    };
-    await createCertificateSigningRequestWithOpenSSL(certificateSigningRequestFile, params);
-    return await g_certificateAuthority.signCertificateRequest(certificate, certificateSigningRequestFile, {
-      applicationUri: applicationUri2,
-      dns: dns3,
-      ip: ip2,
-      startDate,
-      validity
     });
-  }
-  async function createSelfSignedCertificate2(certificate, private_key, applicationUri2, startDate, validity) {
-    await g_certificateAuthority.createSelfSignedCertificate(certificate, private_key, {
-      applicationUri: applicationUri2,
-      dns: dns2,
-      ip,
-      startDate,
-      validity
+    w.on("add", (filename) => {
+      debugLog(chalk6.cyan(`add in folder ${folder}`), filename);
+      try {
+        const certificate = readCertificate(filename);
+        const info = exploreCertificate(certificate);
+        const fingerprint = makeFingerprint(certificate);
+        index.set(fingerprint, { certificate, filename, info });
+        this.#filenameToHash.set(filename, fingerprint);
+        debugLog(
+          chalk6.magenta("CERT"),
+          info.tbsCertificate.subjectFingerPrint,
+          info.tbsCertificate.serialNumber,
+          info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
+        );
+      } catch (err) {
+        debugLog(`Walk files in folder ${folder} with file ${filename}`);
+        debugLog(err);
+      }
     });
-  }
-  async function revoke_certificate(certificate) {
-    await g_certificateAuthority.revokeCertificate(certificate, {});
-  }
-  async function createPrivateKeyIfNotExist(privateKey, keyLength) {
-    if (fs10.existsSync(privateKey)) {
-      warningLog(chalk7.yellow("         privateKey"), chalk7.cyan(privateKey), chalk7.yellow(" already exists => skipping"));
-      return;
-    } else {
-      await generatePrivateKeyFile3(privateKey, keyLength);
-    }
-  }
-  displaySubtitle(` create private key :${private_key_file}`);
-  await createPrivateKeyIfNotExist(private_key_file, key_length);
-  displaySubtitle(` extract public key ${public_key_file} from private key `);
-  await getPublicKeyFromPrivateKey(private_key_file, public_key_file);
-  displaySubtitle(` create Certificate ${certificate_file}`);
-  await createCertificateIfNotExist(certificate_file, private_key_file, applicationUri, yesterday, 365);
-  displaySubtitle(` create self signed Certificate ${self_signed_certificate_file}`);
-  if (fs10.existsSync(self_signed_certificate_file)) {
-    return;
-  }
-  await createSelfSignedCertificate2(self_signed_certificate_file, private_key_file, applicationUri, yesterday, 365);
-  if (dev) {
-    await createCertificateIfNotExist(certificate_file_outofdate, private_key_file, applicationUri, two_years_ago, 365);
-    await createCertificateIfNotExist(certificate_file_not_active_yet, private_key_file, applicationUri, next_year, 365);
-    if (!fs10.existsSync(certificate_revoked)) {
-      const certificate = await createCertificateIfNotExist(
-        certificate_revoked,
-        private_key_file,
-        `${applicationUri}Revoked`,
-        // make sure we used a uniq URI here
-        yesterday,
-        365
-      );
-      warningLog(" certificate to revoke => ", certificate);
-      revoke_certificate(certificate_revoked);
-    }
-  }
-}
-async function wrap(func) {
-  try {
-    await func();
-  } catch (err) {
-    console.log(err.message);
-  }
-}
-async function create_default_certificates(dev) {
-  assert11(gLocalConfig);
-  const base_name = gLocalConfig.certificateDir || "";
-  assert11(fs10.existsSync(base_name));
-  let clientURN;
-  let serverURN;
-  let discoveryServerURN;
-  wrap(async () => {
-    await extractFullyQualifiedDomainName();
-    const hostname = os4.hostname();
-    const fqdn2 = getFullyQualifiedDomainName();
-    warningLog(chalk7.yellow("     hostname = "), chalk7.cyan(hostname));
-    warningLog(chalk7.yellow("     fqdn     = "), chalk7.cyan(fqdn2));
-    clientURN = makeApplicationUrn(hostname, "NodeOPCUA-Client");
-    serverURN = makeApplicationUrn(hostname, "NodeOPCUA-Server");
-    discoveryServerURN = makeApplicationUrn(hostname, "NodeOPCUA-DiscoveryServer");
-    displayTitle("Create  Application Certificate for Server & its private key");
-    await createDefaultCertificate(base_name, "client_", 1024, clientURN, dev);
-    await createDefaultCertificate(base_name, "client_", 2048, clientURN, dev);
-    await createDefaultCertificate(base_name, "client_", 3072, clientURN, dev);
-    await createDefaultCertificate(base_name, "client_", 4096, clientURN, dev);
-    displayTitle("Create  Application Certificate for Client & its private key");
-    await createDefaultCertificate(base_name, "server_", 1024, serverURN, dev);
-    await createDefaultCertificate(base_name, "server_", 2048, serverURN, dev);
-    await createDefaultCertificate(base_name, "server_", 3072, serverURN, dev);
-    await createDefaultCertificate(base_name, "server_", 4096, serverURN, dev);
-    displayTitle("Create  Application Certificate for DiscoveryServer & its private key");
-    await createDefaultCertificate(base_name, "discoveryServer_", 1024, discoveryServerURN, dev);
-    await createDefaultCertificate(base_name, "discoveryServer_", 2048, discoveryServerURN, dev);
-    await createDefaultCertificate(base_name, "discoveryServer_", 3072, discoveryServerURN, dev);
-    await createDefaultCertificate(base_name, "discoveryServer_", 4096, discoveryServerURN, dev);
-  });
-}
-async function createDefaultCertificates(dev) {
-  await construct_CertificateAuthority2("");
-  await construct_CertificateManager();
-  await create_default_certificates(dev);
-}
-var commonOptions = [
-  {
-    name: "root",
-    alias: "r",
-    type: String,
-    defaultValue: "{CWD}/certificates",
-    description: "the location of the Certificate folder"
-  },
-  {
-    name: "CAFolder",
-    alias: "c",
-    type: String,
-    defaultValue: "{root}/CA",
-    description: "the location of the Certificate Authority folder"
-  },
-  { name: "PKIFolder", type: String, defaultValue: "{root}/PKI", description: "the location of the Public Key Infrastructure" },
-  { name: "silent", type: Boolean, defaultValue: false, description: "minimize output" },
-  {
-    name: "privateKey",
-    alias: "p",
-    type: String,
-    defaultValue: "{PKIFolder}/own/private_key.pem",
-    description: "the private key to use to generate certificate"
-  },
-  {
-    name: "keySize",
-    alias: "k",
-    type: Number,
-    defaultValue: 2048,
-    description: "the private key size in bits (1024|2048|3072|4096)"
-  },
-  { name: "help", alias: "h", type: Boolean, description: "display this help" }
-];
-function getOptions(names) {
-  return commonOptions.filter((o) => names.includes(o.name) || o.name === "help" || o.name === "silent");
-}
-function showHelp(command, description, options, usage) {
-  const sections = [
-    {
-      header: `Command: ${command}`,
-      content: description
-    },
-    {
-      header: "Usage",
-      content: usage || `$0 ${command} [options]`
-    },
-    {
-      header: "Options",
-      optionList: options
-    }
-  ];
-  console.log(commandLineUsage(sections));
-}
-async function main(argumentsList) {
-  const mainDefinitions = [{ name: "command", defaultOption: true }];
-  let mainOptions;
-  try {
-    mainOptions = commandLineArgs(mainDefinitions, { argv: argumentsList, stopAtFirstUnknown: true });
-  } catch (err) {
-    console.log(err.message);
-    return;
-  }
-  const argv = mainOptions._unknown || [];
-  const command = mainOptions.command;
-  if (!command || command === "help") {
-    console.log(
-      commandLineUsage([
-        {
-          header: "node-opcua-pki",
-          content: `PKI management for node-opcua
-
-${epilog}`
-        },
-        {
-          header: "Commands",
-          content: [
-            { name: "demo", summary: "create default certificate for node-opcua demos" },
-            { name: "createCA", summary: "create a Certificate Authority" },
-            { name: "createPKI", summary: "create a Public Key Infrastructure" },
-            { name: "certificate", summary: "create a new certificate" },
-            { name: "revoke <certificateFile>", summary: "revoke a existing certificate" },
-            { name: "csr", summary: "create a certificate signing request" },
-            { name: "sign", summary: "validate a certificate signing request and generate a certificate" },
-            { name: "dump <certificateFile>", summary: "display a certificate" },
-            { name: "toder <pemCertificate>", summary: "convert a certificate to a DER format with finger print" },
-            { name: "fingerprint <certificateFile>", summary: "print the certificate fingerprint" },
-            { name: "version", summary: "display the version number" }
-          ]
-        }
-      ])
-    );
-    return;
-  }
-  if (command === "version") {
-    const rootFolder = find_module_root_folder();
-    const pkg = JSON.parse(fs10.readFileSync(path8.join(rootFolder, "package.json"), "utf-8"));
-    console.log(pkg.version);
-    return;
-  }
-  if (command === "demo") {
-    const optionsDef = [
-      ...getOptions(["root", "silent"]),
-      { name: "dev", type: Boolean, description: "create all sort of fancy certificates for dev testing purposes" },
-      { name: "clean", type: Boolean, description: "Purge existing directory [use with care!]" }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help)
-      return showHelp(
-        "demo",
-        "create default certificate for node-opcua demos",
-        optionsDef,
-        "$0 demo [--dev] [--silent] [--clean]"
-      );
-    await wrap(async () => {
-      await ensure_openssl_installed();
-      displayChapter("Create Demo certificates");
-      displayTitle("reading configuration");
-      await readConfiguration(local_argv);
-      if (local_argv.clean) {
-        displayTitle("Cleaning old certificates");
-        assert11(gLocalConfig);
-        const certificateDir = gLocalConfig.certificateDir || "";
-        const files = await fs10.promises.readdir(certificateDir);
-        for (const file of files) {
-          if (file.includes(".pem") || file.includes(".pub")) {
-            await fs10.promises.unlink(path8.join(certificateDir, file));
-          }
+    w.on("change", (changedPath) => {
+      debugLog(chalk6.cyan(`change in folder ${folder}`), changedPath);
+      try {
+        const certificate = readCertificate(changedPath);
+        const newFingerprint = makeFingerprint(certificate);
+        const oldHash = this.#filenameToHash.get(changedPath);
+        if (oldHash && oldHash !== newFingerprint) {
+          index.delete(oldHash);
         }
-        mkdirRecursiveSync(certificateDir);
+        index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificate(certificate) });
+        this.#filenameToHash.set(changedPath, newFingerprint);
+      } catch (err) {
+        debugLog(`change event: failed to re-read ${changedPath}`, err);
       }
-      displayTitle("create certificates");
-      await createDefaultCertificates(local_argv.dev);
-      displayChapter("Demo certificates  CREATED");
     });
-    return;
-  }
-  if (command === "createCA") {
-    const optionsDef = [
-      ...getOptions(["root", "CAFolder", "keySize", "silent"]),
-      { name: "subject", type: String, defaultValue: defaultSubject, description: "the CA certificate subject" }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help) return showHelp("createCA", "create a Certificate Authority", optionsDef);
-    await wrap(async () => {
-      await ensure_openssl_installed();
-      await readConfiguration(local_argv);
-      await construct_CertificateAuthority2(local_argv.subject);
-    });
-    return;
-  }
-  if (command === "createPKI") {
-    const optionsDef = getOptions(["root", "PKIFolder", "keySize", "silent"]);
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help) return showHelp("createPKI", "create a Public Key Infrastructure", optionsDef);
-    await wrap(async () => {
-      await readConfiguration(local_argv);
-      await construct_CertificateManager();
-    });
-    return;
-  }
-  if (command === "certificate") {
-    const optionsDef = [
-      ...getOptions(["root", "CAFolder", "PKIFolder", "privateKey", "silent"]),
-      {
-        name: "applicationUri",
-        alias: "a",
-        type: String,
-        defaultValue: "urn:{hostname}:Node-OPCUA-Server",
-        description: "the application URI"
-      },
-      {
-        name: "output",
-        alias: "o",
-        type: String,
-        defaultValue: "my_certificate.pem",
-        description: "the name of the generated certificate =>"
-      },
-      {
-        name: "selfSigned",
-        alias: "s",
-        type: Boolean,
-        defaultValue: false,
-        description: "if true, certificate will be self-signed"
-      },
-      { name: "validity", alias: "v", type: Number, description: "the certificate validity in days" },
-      {
-        name: "dns",
-        type: String,
-        defaultValue: "{hostname}",
-        description: "the list of valid domain name (comma separated)"
-      },
-      { name: "ip", type: String, defaultValue: "", description: "the list of valid IPs (comma separated)" },
-      {
-        name: "subject",
-        type: String,
-        defaultValue: "",
-        description: "the certificate subject ( for instance C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )"
-      }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help || !local_argv.applicationUri || !local_argv.output)
-      return showHelp("certificate", "create a new certificate", optionsDef);
-    async function command_certificate(local_argv2) {
-      const selfSigned = !!local_argv2.selfSigned;
-      if (!selfSigned) {
-        await command_full_certificate(local_argv2);
-      } else {
-        await command_selfsigned_certificate(local_argv2);
-      }
-    }
-    async function command_selfsigned_certificate(local_argv2) {
-      const _fqdn = await extractFullyQualifiedDomainName();
-      await readConfiguration(local_argv2);
-      await construct_CertificateManager();
-      displaySubtitle(` create self signed Certificate ${gLocalConfig.outputFile}`);
-      let subject = local_argv2.subject && local_argv2.subject.length > 1 ? new Subject5(local_argv2.subject) : gLocalConfig.subject || "";
-      subject = JSON.parse(JSON.stringify(subject));
-      const params = {
-        applicationUri: gLocalConfig.applicationUri || "",
-        dns: gLocalConfig.dns || [],
-        ip: gLocalConfig.ip || [],
-        outputFile: gLocalConfig.outputFile || "self_signed_certificate.pem",
-        startDate: gLocalConfig.startDate || /* @__PURE__ */ new Date(),
-        subject,
-        validity: gLocalConfig.validity || 365
-      };
-      await certificateManager.createSelfSignedCertificate(params);
-    }
-    async function command_full_certificate(local_argv2) {
-      await readConfiguration(local_argv2);
-      await construct_CertificateManager();
-      await construct_CertificateAuthority2("");
-      assert11(fs10.existsSync(gLocalConfig.CAFolder || ""), " CA folder must exist");
-      gLocalConfig.privateKey = void 0;
-      gLocalConfig.subject = local_argv2.subject && local_argv2.subject.length > 1 ? local_argv2.subject : gLocalConfig.subject;
-      const csr_file = await certificateManager.createCertificateRequest(
-        gLocalConfig
-      );
-      if (!csr_file) {
-        return;
-      }
-      warningLog(" csr_file = ", csr_file);
-      const certificate = csr_file.replace(".csr", ".pem");
-      if (fs10.existsSync(certificate)) {
-        throw new Error(` File ${certificate} already exist`);
-      }
-      await g_certificateAuthority.signCertificateRequest(
-        certificate,
-        csr_file,
-        gLocalConfig
-      );
-      assert11(typeof gLocalConfig.outputFile === "string");
-      fs10.writeFileSync(gLocalConfig.outputFile || "", fs10.readFileSync(certificate, "ascii"));
-    }
-    await wrap(async () => await command_certificate(local_argv));
-    return;
-  }
-  if (command === "revoke") {
-    const optionsDef = [{ name: "certificateFile", type: String, defaultOption: true }, ...getOptions(["root", "CAFolder"])];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help || !local_argv.certificateFile)
-      return showHelp(
-        "revoke <certificateFile>",
-        "revoke a existing certificate",
-        optionsDef,
-        "$0 revoke my_certificate.pem"
-      );
-    async function revoke_certificate(certificate) {
-      await g_certificateAuthority.revokeCertificate(certificate, {});
-    }
-    await wrap(async () => {
-      const certificate = path8.resolve(local_argv.certificateFile);
-      warningLog(chalk7.yellow(" Certificate to revoke : "), chalk7.cyan(certificate));
-      if (!fs10.existsSync(certificate)) {
-        throw new Error(`cannot find certificate to revoke ${certificate}`);
-      }
-      await readConfiguration(local_argv);
-      await construct_CertificateAuthority2("");
-      await revoke_certificate(certificate);
-      warningLog("done ... ");
-      warningLog("  crl = ", g_certificateAuthority.revocationList);
-      warningLog("\nyou should now publish the new Certificate Revocation List");
+    this.#watchers.push(w);
+    await new Promise((resolve, _reject) => {
+      w.on("ready", () => {
+        unreffAll();
+        debugLog("ready");
+        debugLog([...index.keys()].map((k) => k.substring(0, 10)));
+        resolve();
+      });
     });
-    return;
   }
-  if (command === "csr") {
-    const optionsDef = [
-      ...getOptions(["root", "PKIFolder", "privateKey", "silent"]),
-      {
-        name: "applicationUri",
-        alias: "a",
-        type: String,
-        defaultValue: "urn:{hostname}:Node-OPCUA-Server",
-        description: "the application URI"
-      },
-      {
-        name: "output",
-        alias: "o",
-        type: String,
-        defaultValue: "my_certificate_signing_request.csr",
-        description: "the name of the generated signing_request"
-      },
-      {
-        name: "dns",
-        type: String,
-        defaultValue: "{hostname}",
-        description: "the list of valid domain name (comma separated)"
-      },
-      { name: "ip", type: String, defaultValue: "", description: "the list of valid IPs (comma separated)" },
-      {
-        name: "subject",
-        type: String,
-        defaultValue: "/CN=Certificate",
-        description: "the certificate subject ( for instance /C=FR/ST=Centre/L=Orleans/O=SomeOrganization/CN=Hello )"
-      }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help) return showHelp("csr", "create a certificate signing request", optionsDef);
-    await wrap(async () => {
-      await readConfiguration(local_argv);
-      if (!fs10.existsSync(gLocalConfig.PKIFolder || "")) {
-        warningLog("PKI folder must exist");
-      }
-      await construct_CertificateManager();
-      if (!gLocalConfig.outputFile || fs10.existsSync(gLocalConfig.outputFile)) {
-        throw new Error(` File ${gLocalConfig.outputFile} already exist`);
-      }
-      gLocalConfig.privateKey = void 0;
-      gLocalConfig.subject = local_argv.subject && local_argv.subject.length > 1 ? local_argv.subject : gLocalConfig.subject;
-      const internal_csr_file = await certificateManager.createCertificateRequest(
-        gLocalConfig
-      );
-      if (!internal_csr_file) {
-        return;
-      }
-      if (!gLocalConfig.outputFile) {
-        warningLog("please specify a output file");
+  // make sure that all crls have been processed.
+  async #waitAndCheckCRLProcessingStatus() {
+    return new Promise((resolve, reject) => {
+      if (this.#pendingCrlToProcess === 0) {
+        setImmediate(resolve);
         return;
       }
-      const csr = await fs10.promises.readFile(internal_csr_file, "utf-8");
-      fs10.writeFileSync(gLocalConfig.outputFile || "", csr, "utf-8");
-      warningLog("Subject        = ", gLocalConfig.subject);
-      warningLog("applicationUri = ", gLocalConfig.applicationUri);
-      warningLog("altNames       = ", gLocalConfig.altNames);
-      warningLog("dns            = ", gLocalConfig.dns);
-      warningLog("ip             = ", gLocalConfig.ip);
-      warningLog("CSR file = ", gLocalConfig.outputFile);
-    });
-    return;
-  }
-  if (command === "sign") {
-    const optionsDef = [
-      ...getOptions(["root", "CAFolder", "silent"]),
-      { name: "csr", alias: "i", type: String, defaultValue: "my_certificate_signing_request.csr", description: "the csr" },
-      {
-        name: "output",
-        alias: "o",
-        type: String,
-        defaultValue: "my_certificate.pem",
-        description: "the name of the generated certificate"
-      },
-      { name: "validity", alias: "v", type: Number, defaultValue: 365, description: "the certificate validity in days" }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help || !local_argv.csr || !local_argv.output)
-      return showHelp("sign", "validate a certificate signing request and generate a certificate", optionsDef);
-    await wrap(async () => {
-      await readConfiguration(local_argv);
-      if (!fs10.existsSync(gLocalConfig.CAFolder || "")) {
-        throw new Error(`CA folder must exist:${gLocalConfig.CAFolder}`);
-      }
-      await construct_CertificateAuthority2("");
-      const csr_file = path8.resolve(local_argv.csr || "");
-      if (!fs10.existsSync(csr_file)) {
-        throw new Error(`Certificate signing request doesn't exist: ${csr_file}`);
-      }
-      const certificate = path8.resolve(local_argv.output || csr_file.replace(".csr", ".pem"));
-      if (fs10.existsSync(certificate)) {
-        throw new Error(` File ${certificate} already exist`);
+      if (this.#onCrlProcess) {
+        return reject(new Error("Internal Error"));
       }
-      await g_certificateAuthority.signCertificateRequest(
-        certificate,
-        csr_file,
-        gLocalConfig
-      );
-      assert11(typeof gLocalConfig.outputFile === "string");
-      fs10.writeFileSync(gLocalConfig.outputFile || "", fs10.readFileSync(certificate, "ascii"));
-    });
-    return;
-  }
-  if (command === "dump") {
-    const optionsDef = [
-      { name: "certificateFile", type: String, defaultOption: true },
-      { name: "help", alias: "h", type: Boolean }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help || !local_argv.certificateFile)
-      return showHelp("dump <certificateFile>", "display a certificate", optionsDef);
-    await wrap(async () => {
-      const data = await dumpCertificate(local_argv.certificateFile);
-      warningLog(data);
-    });
-    return;
-  }
-  if (command === "toder") {
-    const optionsDef = [
-      { name: "pemCertificate", type: String, defaultOption: true },
-      { name: "help", alias: "h", type: Boolean }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help || !local_argv.pemCertificate)
-      return showHelp("toder <pemCertificate>", "convert a certificate to a DER format with finger print", optionsDef);
-    await wrap(async () => {
-      await toDer(local_argv.pemCertificate);
+      this.#onCrlProcess = resolve;
     });
-    return;
-  }
-  if (command === "fingerprint") {
-    const optionsDef = [
-      { name: "certificateFile", type: String, defaultOption: true },
-      { name: "help", alias: "h", type: Boolean }
-    ];
-    const local_argv = commandLineArgs(optionsDef, { argv });
-    if (local_argv.help || !local_argv.certificateFile)
-      return showHelp("fingerprint <certificateFile>", "print the certificate fingerprint", optionsDef);
-    await wrap(async () => {
-      const certificate = local_argv.certificateFile;
-      const data = await fingerprint(certificate);
-      if (!data) return;
-      const s = data.split("=")[1].split(":").join("").trim();
-      warningLog(s);
-    });
-    return;
   }
-  console.log(`Unknown command: ${command}`);
+};
+
+// packages/node-opcua-pki/lib/pki/toolbox_pfx.ts
+import assert9 from "assert";
+import fs10 from "fs";
+var q2 = quote;
+var n3 = makePath;
+async function createPFX(options) {
+  const { certificateFile, privateKeyFile, outputFile, passphrase = "", caCertificateFiles } = options;
+  assert9(fs10.existsSync(certificateFile), `Certificate file does not exist: ${certificateFile}`);
+  assert9(fs10.existsSync(privateKeyFile), `Private key file does not exist: ${privateKeyFile}`);
+  let cmd = `pkcs12 -export`;
+  cmd += ` -in ${q2(n3(certificateFile))}`;
+  cmd += ` -inkey ${q2(n3(privateKeyFile))}`;
+  if (caCertificateFiles) {
+    for (const caFile of caCertificateFiles) {
+      assert9(fs10.existsSync(caFile), `CA certificate file does not exist: ${caFile}`);
+      cmd += ` -certfile ${q2(n3(caFile))}`;
+    }
+  }
+  cmd += ` -out ${q2(n3(outputFile))}`;
+  cmd += ` -passout pass:${passphrase}`;
+  await execute_openssl(cmd, {});
+}
+async function extractCertificateFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -clcerts -nokeys -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractPrivateKeyFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -nocerts -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractCACertificatesFromPFX(options) {
+  const { pfxFile, passphrase = "" } = options;
+  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -cacerts -nokeys -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
+}
+async function extractAllFromPFX(options) {
+  const [certificate, privateKey, caCertificates] = await Promise.all([
+    extractCertificateFromPFX(options),
+    extractPrivateKeyFromPFX(options),
+    extractCACertificatesFromPFX(options)
+  ]);
+  return { certificate, privateKey, caCertificates };
+}
+async function convertPFXtoPEM(pfxFile, pemFile, passphrase = "") {
+  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -out ${q2(n3(pemFile))} -nodes -passin pass:${passphrase}`;
+  await execute_openssl(cmd, {});
+}
+async function dumpPFX(pfxFile, passphrase = "") {
+  assert9(fs10.existsSync(pfxFile), `PFX file does not exist: ${pfxFile}`);
+  const cmd = `pkcs12 -in ${q2(n3(pfxFile))} -info -nodes -passin pass:${passphrase}`;
+  return await execute_openssl(cmd, {});
 }
 export {
   CertificateAuthority,
@@ -3016,22 +2440,15 @@ export {
   VerificationStatus,
   adjustApplicationUri,
   adjustDate,
-  certificateFileExist,
-  debugLog,
-  display,
-  displayChapter,
-  displayDebug,
-  displayError,
-  displaySubtitle,
-  displayTitle,
-  doDebug,
+  convertPFXtoPEM,
+  createPFX,
+  dumpPFX,
+  extractAllFromPFX,
+  extractCACertificatesFromPFX,
+  extractCertificateFromPFX,
+  extractPrivateKeyFromPFX,
   findIssuerCertificateInChain,
-  g_config,
   install_prerequisite,
-  makePath,
-  mkdirRecursiveSync,
-  main as pki_main,
-  quote,
-  warningLog
+  quote
 };
 //# sourceMappingURL=index.mjs.map