node-opcua-server-configuration 2.71.0 → 2.72.0

package/dist/trust_list.d.ts

@@ -1,79 +1,79 @@
-/// <reference types="node" />
-import { StatusCode } from "node-opcua-basic-types";
-/**
- * @module node-opcua-server-configuration
- */
-export interface ITrustList {
-    /**
-     * The CloseAndUpdate Method closes the file and applies the changes to the Trust List. It can
-     * only be called if the file was opened for writing. If the Close Method is called any cached data
-     * is discarded and the Trust List is not changed.
-     *
-     * The Server shall verify that every Certificate in the new Trust List is valid according to the
-     * mandatory rules defined in Part 4. If an invalid Certificate is found the Server shall return an
-     * error and shall not update the Trust List. If only part of the Trust List is being updated the
-     * Server creates a temporary Trust List that includes the existing Trust List plus any updates
-     * and validates the temporary Trust List.
-     *
-     * If the file cannot be processed this Method still closes the file and discards the data before
-     * returning an error. This Method is required if the Server supports updates to the Trust List.
-     * The structure uploaded includes a mask (see 7.5.8) which specifies which fields are updated.
-     * If a bit is not set then the associated field is not changed.
-     *
-     * @param fileHandle UInt32 - The handle of the previously opened file
-     * @return applyChangesRequired - A flag indicating whether the ApplyChanges Method (see 7.7.5) shall be called
-     *                                before the new Trust List will be used by the Server.
-     * **Result Code**
-     * - BadUserAccessDenied         The current user does not have the rights required.
-     * - BadCertificateInvalid       The Server could not validate all Certificates in the Trust List.
-     *                              The DiagnosticInfo shall specify which Certificate(s) are invalid and the specific
-     *                              error.
-     */
-    closeAndUpdate(applyChangesRequired: boolean): Promise<boolean>;
-    /**
-     * The AddCertificate Method allows a Client to add a single Certificate to the Trust List.
-     *
-     * The Server shall verify that the Certificate is valid according to the rules defined in Part 4.
-     *
-     * If an invalid Certificate is found the Server shall return an error and shall not update the Trust List.
-     *
-     * If the Certificate is issued by a CA then the Client shall provide the entire chain in the
-     * certificate argument (see Part 6).
-     *
-     * After validating the Certificate, the Server shall add the CA Certificates to the Issuers list in the Trust List.
-     *
-     * The leaf Certificate is added to the list specified by the isTrustedCertificate argument.
-     *
-     * This method cannot be called if the file object is open
-     * @param  certificate - The DER encoded Certificate to add as a ByteStrng
-     * @param  isTrustedCertificate - If TRUE the Certificate is added to the Trusted Certificates List. If FALSE the Certificate is added to the Issuer Certificates List.
-     *
-     * **Result Code**
-     * - BadUserAccessDenied:     The current user does not have the rights required.
-     * - BadCertificateInvalid:   The certificate to add is invalid.
-     * - BadInvalidState:         The object is opened.
-     *
-     */
-    addCertificate(certificate: Buffer, isTrustedCertificate: boolean): Promise<StatusCode>;
-    /**
-     * The RemoveCertificate Method allows a Client to remove a single Certificate from the Trust List.
-     *
-     * It returns BadInvalidArgument if the thumbprint does not match a Certificate in the Trust List.
-     *
-     * If the Certificate is a CA Certificate with associated CRLs then all CRLs are removed as well.
-     *
-     * This method cannot be called if the file object is open.
-     *
-     * @param thumbprint - The SHA1 hash of the Certificate to remove
-     * @param  isTrustedCertificate - If TRUE the Certificate is removed from the Trusted Certificates List.
-     *                                If FALSE the Certificate is removed from the Issuer Certificates List.
-     *
-     * **Result Code**
-     * -BadUserAccessDenied:   The current user does not have the rights required.
-     * -BadInvalidArgument:    The certificate to remove was not found.
-     * -BadInvalidState:       The object is opened.
-     *
-     *
-     */
-    removeCertificate(thumbprint: string, isTrustedCertificate: boolean): Promise<StatusCode>;
-}
+/// <reference types="node" />
+import { StatusCode } from "node-opcua-basic-types";
+/**
+ * @module node-opcua-server-configuration
+ */
+export interface ITrustList {
+    /**
+     * The CloseAndUpdate Method closes the file and applies the changes to the Trust List. It can
+     * only be called if the file was opened for writing. If the Close Method is called any cached data
+     * is discarded and the Trust List is not changed.
+     *
+     * The Server shall verify that every Certificate in the new Trust List is valid according to the
+     * mandatory rules defined in Part 4. If an invalid Certificate is found the Server shall return an
+     * error and shall not update the Trust List. If only part of the Trust List is being updated the
+     * Server creates a temporary Trust List that includes the existing Trust List plus any updates
+     * and validates the temporary Trust List.
+     *
+     * If the file cannot be processed this Method still closes the file and discards the data before
+     * returning an error. This Method is required if the Server supports updates to the Trust List.
+     * The structure uploaded includes a mask (see 7.5.8) which specifies which fields are updated.
+     * If a bit is not set then the associated field is not changed.
+     *
+     * @param fileHandle UInt32 - The handle of the previously opened file
+     * @return applyChangesRequired - A flag indicating whether the ApplyChanges Method (see 7.7.5) shall be called
+     *                                before the new Trust List will be used by the Server.
+     * **Result Code**
+     * - BadUserAccessDenied         The current user does not have the rights required.
+     * - BadCertificateInvalid       The Server could not validate all Certificates in the Trust List.
+     *                              The DiagnosticInfo shall specify which Certificate(s) are invalid and the specific
+     *                              error.
+     */
+    closeAndUpdate(applyChangesRequired: boolean): Promise<boolean>;
+    /**
+     * The AddCertificate Method allows a Client to add a single Certificate to the Trust List.
+     *
+     * The Server shall verify that the Certificate is valid according to the rules defined in Part 4.
+     *
+     * If an invalid Certificate is found the Server shall return an error and shall not update the Trust List.
+     *
+     * If the Certificate is issued by a CA then the Client shall provide the entire chain in the
+     * certificate argument (see Part 6).
+     *
+     * After validating the Certificate, the Server shall add the CA Certificates to the Issuers list in the Trust List.
+     *
+     * The leaf Certificate is added to the list specified by the isTrustedCertificate argument.
+     *
+     * This method cannot be called if the file object is open
+     * @param  certificate - The DER encoded Certificate to add as a ByteStrng
+     * @param  isTrustedCertificate - If TRUE the Certificate is added to the Trusted Certificates List. If FALSE the Certificate is added to the Issuer Certificates List.
+     *
+     * **Result Code**
+     * - BadUserAccessDenied:     The current user does not have the rights required.
+     * - BadCertificateInvalid:   The certificate to add is invalid.
+     * - BadInvalidState:         The object is opened.
+     *
+     */
+    addCertificate(certificate: Buffer, isTrustedCertificate: boolean): Promise<StatusCode>;
+    /**
+     * The RemoveCertificate Method allows a Client to remove a single Certificate from the Trust List.
+     *
+     * It returns BadInvalidArgument if the thumbprint does not match a Certificate in the Trust List.
+     *
+     * If the Certificate is a CA Certificate with associated CRLs then all CRLs are removed as well.
+     *
+     * This method cannot be called if the file object is open.
+     *
+     * @param thumbprint - The SHA1 hash of the Certificate to remove
+     * @param  isTrustedCertificate - If TRUE the Certificate is removed from the Trusted Certificates List.
+     *                                If FALSE the Certificate is removed from the Issuer Certificates List.
+     *
+     * **Result Code**
+     * -BadUserAccessDenied:   The current user does not have the rights required.
+     * -BadInvalidArgument:    The certificate to remove was not found.
+     * -BadInvalidState:       The object is opened.
+     *
+     *
+     */
+    removeCertificate(thumbprint: string, isTrustedCertificate: boolean): Promise<StatusCode>;
+}

package/dist/trust_list.js

@@ -1,3 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
 //# sourceMappingURL=trust_list.js.map

package/dist/trust_list_impl.js

@@ -1,26 +1,26 @@
-"use strict";
-// /**
-//  * @module node-opcua-server-configuration
-//  */
-// import { StatusCode, StatusCodes } from "node-opcua-status-code";
-// import { ITrustList } from "./trust_list";
-// export class TrustList implements ITrustList {
-//   public async closeAndUpdate(
-//     applyChangesRequired: boolean
-//   ): Promise<boolean> {
-//     return false;
-//   }
-//   public async addCertificate(
-//     certificate: Buffer,
-//     isTrustedCertificate: boolean
-//   ): Promise<StatusCode> {
-//     return StatusCodes.BadNotImplemented;
-//   }
-//   public async removeCertificate(
-//     thumbprint: string,
-//     isTrustedCertificate: boolean
-//   ): Promise<StatusCode> {
-//     return StatusCodes.BadNotImplemented;
-//   }
-// }
+"use strict";
+// /**
+//  * @module node-opcua-server-configuration
+//  */
+// import { StatusCode, StatusCodes } from "node-opcua-status-code";
+// import { ITrustList } from "./trust_list";
+// export class TrustList implements ITrustList {
+//   public async closeAndUpdate(
+//     applyChangesRequired: boolean
+//   ): Promise<boolean> {
+//     return false;
+//   }
+//   public async addCertificate(
+//     certificate: Buffer,
+//     isTrustedCertificate: boolean
+//   ): Promise<StatusCode> {
+//     return StatusCodes.BadNotImplemented;
+//   }
+//   public async removeCertificate(
+//     thumbprint: string,
+//     isTrustedCertificate: boolean
+//   ): Promise<StatusCode> {
+//     return StatusCodes.BadNotImplemented;
+//   }
+// }
 //# sourceMappingURL=trust_list_impl.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "node-opcua-server-configuration",
-    "version": "2.71.0",
+    "version": "2.72.0",
     "description": "pure nodejs OPCUA SDK - module -server",
     "scripts": {
         "build": "tsc -b",
@@ -12,26 +12,28 @@
     "types": "./dist/index.d.ts",
     "dependencies": {
         "memfs": "^3.4.7",
-        "node-opcua-address-space": "2.71.0",
+        "node-opcua-address-space": "2.72.0",
+        "node-opcua-address-space-base": "2.72.0",
         "node-opcua-assert": "2.66.0",
         "node-opcua-basic-types": "2.71.0",
         "node-opcua-certificate-manager": "2.71.0",
-        "node-opcua-client": "2.71.0",
+        "node-opcua-client": "2.72.0",
+        "node-opcua-common": "2.72.0",
         "node-opcua-constants": "2.70.0",
         "node-opcua-crypto": "^1.11.0",
         "node-opcua-data-model": "2.71.0",
         "node-opcua-debug": "2.71.0",
-        "node-opcua-file-transfer": "2.71.0",
+        "node-opcua-file-transfer": "2.72.0",
         "node-opcua-hostname": "2.67.0",
         "node-opcua-nodeid": "2.71.0",
         "node-opcua-nodesets": "2.71.0",
         "node-opcua-pki": "^2.17.0",
-        "node-opcua-pseudo-session": "2.71.0",
-        "node-opcua-secure-channel": "2.71.0",
-        "node-opcua-server": "2.71.0",
-        "node-opcua-service-translate-browse-path": "2.71.0",
+        "node-opcua-pseudo-session": "2.72.0",
+        "node-opcua-secure-channel": "2.72.0",
+        "node-opcua-server": "2.72.0",
+        "node-opcua-service-translate-browse-path": "2.72.0",
         "node-opcua-status-code": "2.71.0",
-        "node-opcua-types": "2.71.0",
+        "node-opcua-types": "2.72.0",
         "node-opcua-variant": "2.71.0",
         "rimraf": "^3.0.2"
     },
@@ -57,5 +59,5 @@
         "internet of things"
     ],
     "homepage": "http://node-opcua.github.io/",
-    "gitHead": "10f7cc1e1cd30dfef75adad9cb709a78401fabf3"
+    "gitHead": "3c5f00e20bf5bef91a1ca3663af149b903760e5c"
 }

package/source/clientTools/push_certificate_management_client.ts

@@ -23,7 +23,6 @@ import {
 import { ITrustList } from "../trust_list";
 import { TrustListMasks } from "../server/trust_list_server";
 
-
 const serverConfigurationNodeId = resolveNodeId("ServerConfiguration");
 const createSigningRequestMethod = resolveNodeId("ServerConfiguration_CreateSigningRequest");
 const getRejectedListMethod = resolveNodeId("ServerConfiguration_GetRejectedList");
@@ -41,7 +40,6 @@ function findCertificateGroupName(certificateGroupNodeId: NodeId): string {
 }
 
 function findCertificateGroupNodeId(certificateGroup: NodeId | string): NodeId {
-
     if (certificateGroup instanceof NodeId) {
         return certificateGroup;
     }
@@ -64,10 +62,7 @@ function findCertificateTypeIdNodeId(certificateTypeId: NodeId | string): NodeId
     return resolveNodeId(certificateTypeId);
 }
 
-
-
 export class TrustListClient extends ClientFile implements ITrustList {
-
     private closeAndUpdateNodeId?: NodeId;
     private addCertificateNodeId?: NodeId;
     private removeCertificateNodeId?: NodeId;
@@ -80,12 +75,11 @@ export class TrustListClient extends ClientFile implements ITrustList {
      * @private
      */
     async _extractMethodIds(): Promise<void> {
-
         const browseResults = await this.session.translateBrowsePath([
-            makeBrowsePath(this.nodeId, "/CloseAndUpdate"),    // Optional
-            makeBrowsePath(this.nodeId, "/AddCertificate"),    // Optional
+            makeBrowsePath(this.nodeId, "/CloseAndUpdate"), // Optional
+            makeBrowsePath(this.nodeId, "/AddCertificate"), // Optional
             makeBrowsePath(this.nodeId, "/RemoveCertificate"), // Optional
-            makeBrowsePath(this.nodeId, "/OpenWithMasks")      // OpenWithMasks Mandatory
+            makeBrowsePath(this.nodeId, "/OpenWithMasks") // OpenWithMasks Mandatory
         ]);
 
         this.closeAndUpdateNodeId = browseResults[0].targets![0].targetId;
@@ -114,9 +108,7 @@ export class TrustListClient extends ClientFile implements ITrustList {
         if (!this.openWithMasksNodeId) {
             throw new Error("OpenWithMasks doesn't exist");
         }
-        const inputArguments = [
-            { dataType: DataType.UInt32, value: trustListMask },
-        ];
+        const inputArguments = [{ dataType: DataType.UInt32, value: trustListMask }];
         const methodToCall: CallMethodRequestLike = {
             inputArguments,
             methodId: this.openWithMasksNodeId,
@@ -140,7 +132,7 @@ export class TrustListClient extends ClientFile implements ITrustList {
         }
         const inputArguments = [
             { dataType: DataType.UInt32, value: this.fileHandle },
-            { dataType: DataType.Boolean, value: !!applyChangesRequired },
+            { dataType: DataType.Boolean, value: !!applyChangesRequired }
         ];
         const methodToCall: CallMethodRequestLike = {
             inputArguments,
@@ -159,7 +151,7 @@ export class TrustListClient extends ClientFile implements ITrustList {
 
         const inputArguments: VariantLike[] = [
             { dataType: DataType.ByteString, value: certificate },
-            { dataType: DataType.Boolean, value: !!isTrustedCertificate },
+            { dataType: DataType.Boolean, value: !!isTrustedCertificate }
         ];
         const methodToCall: CallMethodRequestLike = {
             inputArguments,
@@ -175,7 +167,7 @@ export class TrustListClient extends ClientFile implements ITrustList {
 
         const inputArguments: VariantLike[] = [
             { dataType: DataType.String, value: thumbprint },
-            { dataType: DataType.Boolean, value: !!isTrustedCertificate },
+            { dataType: DataType.Boolean, value: !!isTrustedCertificate }
         ];
         const methodToCall: CallMethodRequestLike = {
             inputArguments,
@@ -188,7 +180,7 @@ export class TrustListClient extends ClientFile implements ITrustList {
 
     /**
      * helper function to retrieve the list of certificates ...
-     * @returns 
+     * @returns
      */
     async readTrustedCertificateList(): Promise<TrustListDataType> {
         // const size = await this.size();
@@ -218,13 +210,9 @@ export class TrustListClient extends ClientFile implements ITrustList {
         trustedList.encode(stream);
         return await this.closeAndUpdate(true);
     }
-
 }
 export class CertificateGroup {
-
-    constructor(public session: IBasicSession, public nodeId: NodeId) {
-
-    }
+    constructor(public session: IBasicSession, public nodeId: NodeId) {}
     async getCertificateTypes(): Promise<NodeId[]> {
         const browsePathResult = await this.session.translateBrowsePath(makeBrowsePath(this.nodeId, "/CertificateTypes"));
         if (browsePathResult.statusCode !== StatusCodes.Good) {
@@ -244,12 +232,9 @@ export class CertificateGroup {
         }
         const trustListNodeId = browsePathResult.targets![0].targetId;
         return new TrustListClient(this.session, trustListNodeId);
-
     }
-
 }
 export class ClientPushCertificateManagement implements PushCertificateManager {
-
     public static rsaSha256ApplicationCertificateType: NodeId = resolveNodeId("i=12560");
 
     public session: IBasicSession;
@@ -303,7 +288,6 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         regeneratePrivateKey?: boolean,
         nonce?: ByteString
     ): Promise<CreateSigningRequestResult> {
-
         nonce = nonce || Buffer.alloc(0);
 
         const inputArguments = [
@@ -428,7 +412,6 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         privateKeyFormat?: string,
         privateKey?: Buffer
     ): Promise<UpdateCertificateResult> {
-
         const inputArguments: VariantLike[] = [
             { dataType: DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
             { dataType: DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
@@ -481,7 +464,6 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
      * BadUserAccessDenied   The current user does not have the rights required.
      */
     public async applyChanges(): Promise<StatusCode> {
-
         const methodToCall: CallMethodRequestLike = {
             inputArguments: [],
             methodId: applyChangesMethod,
@@ -496,7 +478,6 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
     }
 
     public async getSupportedPrivateKeyFormats(): Promise<string[]> {
-
         const dataValue = await this.session.read({
             attributeId: AttributeIds.Value,
             nodeId: supportedPrivateKeyFormatsNodeId
@@ -505,7 +486,6 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
     }
 
     public async getCertificateGroupId(certificateGroupName: string): Promise<NodeId> {
-
         if (certificateGroupName === "DefaultApplicationGroup") {
             return defaultApplicationGroup;
         }
@@ -513,20 +493,19 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         throw new Error("Not Implemented yet");
     }
 
-
-
     /**
-     * 
-     * @param browseName 
+     *
+     * @param browseName
      */
     public async getCertificateGroup(
-        browseName: QualifiedNameLike | "DefaultApplicationGroup" | "DefaultUserTokenGroup"): Promise<CertificateGroup> {
+        browseName: QualifiedNameLike | "DefaultApplicationGroup" | "DefaultUserTokenGroup"
+    ): Promise<CertificateGroup> {
         browseName = coerceQualifiedName(browseName);
         if (browseName.toString() === "DefaultApplicationGroup") {
-            return new CertificateGroup(this.session, resolveNodeId("ServerConfiguration_CertificateGroups_DefaultApplicationGroup"));
+            return new CertificateGroup(this.session, defaultApplicationGroup);
         }
         if (browseName.toString() === "DefaultUserTokenGroup") {
-            return new CertificateGroup(this.session, resolveNodeId("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup"));
+            return new CertificateGroup(this.session, defaultUserTokenGroup);
         }
         // istanbul ignore next
         throw new Error("Not Implemented yet");
@@ -535,6 +514,6 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         return this.getCertificateGroup("DefaultApplicationGroup");
     }
     public async getUserTokenGroup(): Promise<CertificateGroup> {
-        return this.getCertificateGroup("DefaultApplicationGroup");
+        return this.getCertificateGroup("DefaultUserTokenGroup");
     }
 }

package/source/server/install_CertificateAlarm.ts

@@ -3,48 +3,54 @@
  */
 import {
     AddressSpace,
-    UACertificateExpirationAlarm,
-    UACertificateExpirationAlarmImpl
+    BaseNode,
+    UACertificateExpirationAlarmEx,
+    UACertificateExpirationAlarmImpl,
+    UAObject
 } from "node-opcua-address-space";
-import {
-    checkDebugFlag,
-    make_debugLog,
-    make_errorLog
-} from "node-opcua-debug";
-import {
-    NodeId
-} from "node-opcua-nodeid";
+import { InstantiateOffNormalAlarmOptions } from "node-opcua-address-space/src/alarms_and_conditions/ua_off_normal_alarm_impl";
+import { coerceQualifiedName, NodeClass } from "node-opcua-data-model";
+import { checkDebugFlag, make_debugLog, make_errorLog } from "node-opcua-debug";
+import { NodeId, sameNodeId } from "node-opcua-nodeid";
 import { DataType } from "node-opcua-variant";
 
 const debugLog = make_debugLog("ServerConfiguration");
 const errorLog = make_errorLog("ServerConfiguration");
 const doDebug = checkDebugFlag("ServerConfiguration");
 
-export function installCertificateExpirationAlarm(addressSpace: AddressSpace) {
-
+/**
+ *
+ * @param addressSpace
+ * @returns
+ * @deprecated
+ */
+export function installCertificateExpirationAlarm(addressSpace: AddressSpace): UACertificateExpirationAlarmEx {
     debugLog("installCertificateExpirationAlarm");
-
+    /**
+     * note: the ServerCertificateAlarm is not in the OPCUA standard
+     */
     const server = addressSpace.rootFolder.objects.server;
-
     const namespace = addressSpace.getOwnNamespace();
 
-    const certificateExpirationAlarmType = addressSpace.findEventType("CertificateExpirationAlarmType");
-
-    const options = {
+    const options: InstantiateOffNormalAlarmOptions = {
         browseName: "ServerCertificateAlarm",
-        conditionSource: null,
+        conditionSource: undefined,
         eventSourceOf: server,
         inputNode: new NodeId(),
-        normalState: new NodeId()
+        normalState: new NodeId(),
+        optionals: ["ExpirationLimit"]
     };
-    const data = {};
-    const alarm = UACertificateExpirationAlarmImpl.instantiate(namespace, options, data);
-    // const alarm = namespace.instantiateOffNormalAlarm({) as UACertificateExpirationAlarm;
-    alarm.currentBranch().setRetain(true);
-    alarm.activeState.setValue(false);
-    alarm.ackedState.setValue(false);
-    alarm.suppressedState?.setValue(false);
-    alarm.certificate.setValueFromSource({dataType: DataType.ByteString, value: null });
-    alarm.eventId.setValueFromSource({dataType: DataType.ByteString, value: null });
-
+    const certificateExpirationAlarm = UACertificateExpirationAlarmImpl.instantiate(
+        namespace,
+        "CertificateExpirationAlarmType",
+        options
+    );
+    certificateExpirationAlarm.currentBranch().setRetain(false);
+    certificateExpirationAlarm.activeState.setValue(false);
+    certificateExpirationAlarm.ackedState.setValue(false);
+    certificateExpirationAlarm.suppressedState?.setValue(false);
+    certificateExpirationAlarm.certificate.setValueFromSource({ dataType: DataType.ByteString, value: null });
+    certificateExpirationAlarm.eventId.setValueFromSource({ dataType: DataType.ByteString, value: null });
+
+    return certificateExpirationAlarm;
 }

package/source/server/install_certificate_file_watcher.ts

@@ -0,0 +1,25 @@
+import * as fs from "fs";
+import * as path from "path";
+import { UAObject } from "node-opcua-address-space-base";
+import { make_debugLog } from "node-opcua-debug";
+
+const debugLog = make_debugLog("ServerConfiguration");
+
+export interface ChangeDetector {
+    on(eventName: "certificateChange", handler: () => void): this;
+}
+export function installCertificateFileWatcher(node: UAObject, certificateFile: string): ChangeDetector {
+    const fileToWatch = path.basename(certificateFile);
+    const fsWatcher = fs.watch(path.dirname(certificateFile), { persistent: false }, (eventType: "rename" | "change", filename) => {
+        /** */
+        if (filename === fileToWatch) {
+            debugLog("filename changed = ", filename, fileToWatch);
+            node.emit("certificateChange");
+        }
+    });
+    const addressSpace = node.addressSpace!;
+    addressSpace.registerShutdownTask(() => {
+        fsWatcher.close();
+    });
+    return node as unknown as ChangeDetector;
+}

package/source/server/install_push_certitifate_management.ts

@@ -7,13 +7,14 @@ import * as path from "path";
 
 import * as chalk from "chalk";
 
-import { UAServerConfiguration } from "node-opcua-address-space";
+import { UAServerConfiguration, AddressSpace } from "node-opcua-address-space";
 import { assert } from "node-opcua-assert";
 import { OPCUACertificateManager } from "node-opcua-certificate-manager";
 import { Certificate, convertPEMtoDER, makeSHA1Thumbprint, PrivateKeyPEM, split_der } from "node-opcua-crypto";
 import { checkDebugFlag, make_debugLog, make_errorLog } from "node-opcua-debug";
 import { getFullyQualifiedDomainName } from "node-opcua-hostname";
 import { ICertificateKeyPairProvider } from "node-opcua-secure-channel";
+import { ICertificateKeyPairProviderPriv } from "node-opcua-common";
 import { OPCUAServer, OPCUAServerEndPoint } from "node-opcua-server";
 import { ApplicationDescriptionOptions } from "node-opcua-types";
 import { installPushCertificateManagement } from "./push_certificate_manager_helpers";
@@ -26,15 +27,15 @@ const debugLog = make_debugLog("ServerConfiguration");
 const errorLog = make_errorLog("ServerConfiguration");
 const doDebug = checkDebugFlag("ServerConfiguration");
 
-export interface OPCUAServerPartial extends ICertificateKeyPairProvider {
+export interface OPCUAServerPartial extends ICertificateKeyPairProviderPriv {
     serverInfo?: ApplicationDescriptionOptions;
     serverCertificateManager: OPCUACertificateManager;
     privateKeyFile: string;
     certificateFile: string;
-
-    $$privateKeyPEM: PrivateKeyPEM;
-    $$certificate?: Certificate;
-    $$certificateChain: Certificate;
+    $$certificate: null | Certificate;
+    $$certificateChain: null | Certificate;
+    $$privateKeyPEM: null | PrivateKeyPEM;
+    engine: { addressSpace?: AddressSpace };
 }
 
 function getCertificate(this: OPCUAServerPartial): Certificate {
@@ -176,7 +177,7 @@ async function onCertificateChange(server: OPCUAServer) {
     _server.$$certificateChain = convertPEMtoDER(certificatePEM);
     _server.$$privateKeyPEM = privateKeyPEM;
     // note : $$certificate will be reconstructed on demand
-    _server.$$certificate = undefined;
+    _server.$$certificate = split_der(_server.$$certificateChain)[0];
 
     setTimeout(async () => {
         try {
@@ -190,7 +191,6 @@ async function onCertificateChange(server: OPCUAServer) {
 
             debugLog(chalk.yellow("channels have been closed -> client should reconnect "));
         } catch (err) {
-            // tslint:disable:no-console
             if (err instanceof Error) {
                 errorLog("Error in CertificateChanged handler ", err.message);
             }