Skip to main content
X509Certificate - crypto - Node documentation
class X509Certificate

Usage in Deno

import { X509Certificate } from "node:crypto";

Encapsulates an X509 certificate and provides read-only access to its information.

const { X509Certificate } = await import('node:crypto');

const x509 = new X509Certificate('{... pem encoded cert ...}');

console.log(x509.subject);

Constructors

new
X509Certificate(buffer: BinaryLike)

Properties

readonly
ca: boolean

Will be `true` if this is a Certificate Authority (CA) certificate.

readonly
fingerprint: string

The SHA-1 fingerprint of this certificate.

Because SHA-1 is cryptographically broken and because the security of SHA-1 is significantly worse than that of algorithms that are commonly used to sign certificates, consider using x509.fingerprint256 instead.

readonly
fingerprint256: string

The SHA-256 fingerprint of this certificate.

readonly
fingerprint512: string

The SHA-512 fingerprint of this certificate.

Because computing the SHA-256 fingerprint is usually faster and because it is only half the size of the SHA-512 fingerprint, x509.fingerprint256 may be a better choice. While SHA-512 presumably provides a higher level of security in general, the security of SHA-256 matches that of most algorithms that are commonly used to sign certificates.

readonly
infoAccess: string | undefined

A textual representation of the certificate's authority information access extension.

This is a line feed separated list of access descriptions. Each line begins with the access method and the kind of the access location, followed by a colon and the value associated with the access location.

After the prefix denoting the access method and the kind of the access location, the remainder of each line might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.

readonly
issuer: string

The issuer identification included in this certificate.

readonly
abstract
issuerCertificate: X509Certificate | undefined

The issuer certificate or undefined if the issuer certificate is not available.

readonly
keyUsage: string[]

An array detailing the key usages for this certificate.

The public key KeyObject for this certificate.

readonly
raw: Buffer

A Buffer containing the DER encoding of this certificate.

readonly
serialNumber: string

The serial number of this certificate.

Serial numbers are assigned by certificate authorities and do not uniquely identify certificates. Consider using x509.fingerprint256 as a unique identifier instead.

readonly
subject: string

The complete subject of this certificate.

readonly
subjectAltName: string | undefined

The subject alternative name specified for this certificate.

This is a comma-separated list of subject alternative names. Each entry begins with a string identifying the kind of the subject alternative name followed by a colon and the value associated with the entry.

Earlier versions of Node.js incorrectly assumed that it is safe to split this property at the two-character sequence ', ' (see CVE-2021-44532). However, both malicious and legitimate certificates can contain subject alternative names that include this sequence when represented as a string.

After the prefix denoting the type of the entry, the remainder of each entry might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.

readonly
validFrom: string

The date/time from which this certificate is considered valid.

readonly
validTo: string

The date/time until which this certificate is considered valid.

Methods

checkEmail(
email: string,
options?: Pick<X509CheckOptions, "subject">,
): string | undefined

Checks whether the certificate matches the given email address.

If the 'subject' option is undefined or set to 'default', the certificate subject is only considered if the subject alternative name extension either does not exist or does not contain any email addresses.

If the 'subject' option is set to 'always' and if the subject alternative name extension either does not exist or does not contain a matching email address, the certificate subject is considered.

If the 'subject' option is set to 'never', the certificate subject is never considered, even if the certificate contains no subject alternative names.

checkHost(
name: string,
options?: X509CheckOptions,
): string | undefined

Checks whether the certificate matches the given host name.

If the certificate matches the given host name, the matching subject name is returned. The returned name might be an exact match (e.g., foo.example.com) or it might contain wildcards (e.g., *.example.com). Because host name comparisons are case-insensitive, the returned subject name might also differ from the given name in capitalization.

If the 'subject' option is undefined or set to 'default', the certificate subject is only considered if the subject alternative name extension either does not exist or does not contain any DNS names. This behavior is consistent with RFC 2818 ("HTTP Over TLS").

If the 'subject' option is set to 'always' and if the subject alternative name extension either does not exist or does not contain a matching DNS name, the certificate subject is considered.

If the 'subject' option is set to 'never', the certificate subject is never considered, even if the certificate contains no subject alternative names.

checkIP(ip: string): string | undefined

Checks whether the certificate matches the given IP address (IPv4 or IPv6).

Only RFC 5280 iPAddress subject alternative names are considered, and they must match the given ip address exactly. Other subject alternative names as well as the subject field of the certificate are ignored.

checkIssued(otherCert: X509Certificate): boolean

Checks whether this certificate was issued by the given otherCert.

checkPrivateKey(privateKey: KeyObject): boolean

Checks whether the public key for this certificate is consistent with the given private key.

toJSON(): string

There is no standard JSON encoding for X509 certificates. ThetoJSON() method returns a string containing the PEM encoded certificate.

Returns information about this certificate using the legacy certificate object encoding.

toString(): string

Returns the PEM-encoded certificate.

verify(publicKey: KeyObject): boolean

Verifies that this certificate was signed by the given public key. Does not perform any other validation checks on the certificate.