SkillAgentSearch skills...

Pem

Create private keys and certificates with node.js

GenerateConvertImprove

Install / Use

/learn @Dexus/Pem
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

pem

Create private keys and certificates with node.js

Build Status npm version npm downloads pem documentation

JavaScript Style Guide

Installation

Install with npm

npm install pem

or use yarn

yarn add pem

:warning: Please make sure you have openssl or libressl already installed on your system/container, without them pem will not work.

TypeScript

TypeScript declaration files are bundled with the package via types/pem.d.ts. The public API, including the legacy promisified helpers and the CA utility, now has precise typings.

Run yarn test:types to execute the lightweight tsd assertions that guard the definitions.

Examples

Here are some examples for creating an SSL key/cert on the fly, and running an HTTPS server on port 443. 443 is the standard HTTPS port, but requires root permissions on most systems. To get around this, you could use a higher port number, like 4300, and use https://localhost:4300 to access your server.

Promise support: Every asynchronous function in pem still accepts a Node-style callback and now returns a Promise when no callback is provided. The legacy pem.promisified helper is deprecated; use the primary exports directly for both callback and promise flows.

Basic https

var https = require('https')
var pem = require('pem')

pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
  if (err) {
    throw err
  }
  https.createServer({ key: keys.clientKey, cert: keys.certificate }, function (req, res) {
    res.end('o hai!')
  }).listen(443)
})

Express

var https = require('https')
var pem = require('pem')
var express = require('express')

pem.createCertificate({ days: 1, selfSigned: true }, function (err, keys) {
  if (err) {
    throw err
  }
  var app = express()

  app.get('/', function (req, res) {
    res.send('o hai!')
  })

  https.createServer({ key: keys.clientKey, cert: keys.certificate }, app).listen(443)
})

Basic https with async/await

const https = require('https')
const pem = require('pem')

async function main() {
  const keys = await pem.createCertificate({ days: 1, selfSigned: true })

  const server = https.createServer({ key: keys.clientKey, cert: keys.certificate }, (req, res) => {
    res.end('o hai!')
  })

  server.listen(443)
}

main().catch((err) => {
  console.error(err)
  process.exit(1)
})

API

Please have a look into the API documentation.

All asynchronous functions document below support both callback and promise styles. Invoke them without a callback to receive a Promise that resolves to the same value that would be passed to the callback.

we had to clean up a bit

<!-- ### Create a dhparam key Use `createDhparam` for creating dhparam keys pem.createDhparam(keyBitsize, callback) Where * **keyBitsize** is an optional size of the key, defaults to 512 (bit) * **callback** is a callback function with an error object and `{dhparam}` ### Create a ecparam key Use `createEcparam` for creating ecparam keys pem.createEcparam(keyName, callback) Where * **keyName** is an optional name of the key curves name, defaults to secp256k1 * **callback** is a callback function with an error object and `{ecparam}` ### Create a private key Use `createPrivateKey` for creating private keys pem.createPrivateKey(keyBitsize, [options,] callback) Where * **keyBitsize** is an optional size of the key, defaults to 2048 (bit) * **options** is an optional object of the cipher and password (both required for encryption), defaults {cipher:'',password:''} (ciphers:["aes128", "aes192", "aes256", "camellia128", "camellia192", "camellia256", "des", "des3", "idea"]) * **callback** is a callback function with an error object and `{key}` ### Create a Certificate Signing Request Use `createCSR` for creating certificate signing requests pem.createCSR(options, callback) Where * **options** is an optional options object * **callback** is a callback function with an error object and `{csr, clientKey}` Possible options are the following * **clientKey** is an optional client key to use * **clientKeyPassword** the optional password for `clientKey` * **keyBitsize** - if `clientKey` is undefined, bit size to use for generating a new key (defaults to 2048) * **hash** is a hash function to use (either `md5`, `sha1` or `sha256`, defaults to `sha256`) * **country** is a CSR country field * **state** is a CSR state field * **locality** is a CSR locality field * **organization** is a CSR organization field * **organizationUnit** is a CSR organizational unit field * **commonName** is a CSR common name field (defaults to `localhost`) * **altNames** is a list (`Array`) of subjectAltNames in the subjectAltName field (optional) * **emailAddress** is a CSR email address field * **csrConfigFile** is a CSR config file ### Create a certificate Use `createCertificate` for creating private keys pem.createCertificate(options, callback) Where * **options** is an optional options object * **callback** is a callback function with an error object and `{certificate, csr, clientKey, serviceKey}` Possible options include all the options for `createCSR` - in case `csr` parameter is not defined and a new CSR needs to be generated. In addition, possible options are the following * **serviceKey** is a private key for signing the certificate, if not defined a new one is generated * **serviceKeyPassword** Password of the service key * **serviceCertificate** is the optional certificate for the `serviceKey` * **serial** is the unique serial number for the signed certificate, required if `serviceCertificate` is defined * **selfSigned** - if set to true and `serviceKey` is not defined, use `clientKey` for signing * **csr** is a CSR for the certificate, if not defined a new one is generated * **days** is the certificate expire time in days * **extFile** extension config file - **without** `-extensions v3_req` * **config** extension config file - **with** `-extensions v3_req` ### Export a public key Use `getPublicKey` for exporting a public key from a private key, CSR or certificate pem.getPublicKey(certificate, callback) Where * **certificate** is a PEM encoded private key, CSR or certificate * **callback** is a callback function with an error object and `{publicKey}` ### Read certificate info Use `readCertificateInfo` for reading subject data from a certificate or a CSR pem.readCertificateInfo(certificate, callback) Where * **certificate** is a PEM encoded CSR or a certificate * **callback** is a callback function with an error object and `{serial, country, state, locality, organization, organizationUnit, commonName, emailAddress, validity{start, end}, san{dns, ip, email}?, issuer{country, state, locality, organization, organizationUnit}, signatureAlgorithm, publicKeyAlgorithm, publicKeySize }` ? *san* is only present if the CSR or certificate has SAN entries. *signatureAlgorithm, publicKeyAlgorithm and publicKeySize* only available if supportet and can parsed form openssl output ### Get fingerprint Use `getFingerprint` to get the default SHA1 fingerprint for a certificate pem.getFingerprint(certificate, [hash], callback) Where * **certificate** is a PEM encoded certificate * **hash** is a hash function to use (either `md5`, `sha1` or `sha256`, defaults to `sha1`) * **callback** is a callback function with an error object and `{fingerprint}` ### Get modulus Use `getModulus` to get the modulus for a certificate, a CSR or a private key. Modulus can be useful to check that a Private Key Matches a Certificate pem.getModulus(certificate, [password], [hash], callback) Where * **certificate** is a PEM encoded certificate, CSR or private key * **password** is an optional passphrase for passpharse protected certificates * **hash** is an optional hash function to use (up to now `md5` supported) (default: none) * **callback** is a callback function with an error object and `{modulus}` ### Get DH parameter information Use `getDhparamInfo` to get the size and prime of DH parameters. pem.getDhparamInfo(dhparam, callback) Where * **dhparam** is a PEM encoded DH parameters string * **callback** is a callback function with an error object and `{size, prime}` ### Export to a PKCS12 keystore Use `createPkcs12` to export a certificate, the private key and optionally any signing or intermediate CA certificates to a PKCS12 keystore. pem.createPkcs12(clientKey, certificate, p12Password, [options], callback) Where * **clientKey** is a PEM encoded private key * **certificate** is a PEM encoded certificate * **p12Password** is the password of the exported keystore * **options** is an optional options object with `cipher`, (one of "aes128", "aes192", "aes256", "camellia128", "camellia192", "camellia256", "des", "des3" or "idea"), `clientKeyPassword` and `certFiles` (an array of additional certificates to include - e.g. CA certificates) * **callback** is a callback function with an error object and `{pkcs12}` (binary) ### Read a PKCS12 keystore Use `readPkcs12` to read a certificate, private key and CA certificates from a PKCS12 keystore. pem.readPkcs12(bufferOrPath, [options], callback) Where * **bufferOrPath** is a PKCS12 keystore as a [Buffer](https://nodejs.org/api/buffer.html) or the path to a file *

Dexus

View profile

View on GitHub
GitHub Stars574
CategoryDevelopment
Updated3d ago
Forks126
Dexus/pem

Languages

JavaScript

Security Score

85/100

Audited on Mar 17, 2026

No findings