X509Certificate

Will be `true` if this is a Certificate Authority (CA) certificate.

The SHA-1 fingerprint of this certificate.

Because SHA-1 is cryptographically broken and because the security of SHA-1 is significantly worse than that of algorithms that are commonly used to sign certificates, consider using x509.fingerprint256 instead.

The SHA-256 fingerprint of this certificate.

The SHA-512 fingerprint of this certificate.

Because computing the SHA-256 fingerprint is usually faster and because it is only half the size of the SHA-512 fingerprint, x509.fingerprint256 may be a better choice. While SHA-512 presumably provides a higher level of security in general, the security of SHA-256 matches that of most algorithms that are commonly used to sign certificates.

A textual representation of the certificate's authority information access extension.

This is a line feed separated list of access descriptions. Each line begins with the access method and the kind of the access location, followed by a colon and the value associated with the access location.

After the prefix denoting the access method and the kind of the access location, the remainder of each line might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.

The issuer identification included in this certificate.

The issuer certificate or undefined if the issuer certificate is not available.

An array detailing the key usages for this certificate.

The public key KeyObject for this certificate.

A Buffer containing the DER encoding of this certificate.

The serial number of this certificate.

Serial numbers are assigned by certificate authorities and do not uniquely identify certificates. Consider using x509.fingerprint256 as a unique identifier instead.

The complete subject of this certificate.

The subject alternative name specified for this certificate.

This is a comma-separated list of subject alternative names. Each entry begins with a string identifying the kind of the subject alternative name followed by a colon and the value associated with the entry.

Earlier versions of Node.js incorrectly assumed that it is safe to split this property at the two-character sequence ', ' (see CVE-2021-44532). However, both malicious and legitimate certificates can contain subject alternative names that include this sequence when represented as a string.

After the prefix denoting the type of the entry, the remainder of each entry might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.

The date/time from which this certificate is considered valid.

The date/time until which this certificate is considered valid.

Checks whether the certificate matches the given email address.

If the 'subject' option is undefined or set to 'default', the certificate subject is only considered if the subject alternative name extension either does not exist or does not contain any email addresses.

If the 'subject' option is set to 'always' and if the subject alternative name extension either does not exist or does not contain a matching email address, the certificate subject is considered.

If the 'subject' option is set to 'never', the certificate subject is never considered, even if the certificate contains no subject alternative names.

Checks whether the certificate matches the given host name.

If the certificate matches the given host name, the matching subject name is returned. The returned name might be an exact match (e.g., foo.example.com) or it might contain wildcards (e.g., *.example.com). Because host name comparisons are case-insensitive, the returned subject name might also differ from the given name in capitalization.

If the 'subject' option is undefined or set to 'default', the certificate subject is only considered if the subject alternative name extension either does not exist or does not contain any DNS names. This behavior is consistent with RFC 2818 ("HTTP Over TLS").

If the 'subject' option is set to 'always' and if the subject alternative name extension either does not exist or does not contain a matching DNS name, the certificate subject is considered.

If the 'subject' option is set to 'never', the certificate subject is never considered, even if the certificate contains no subject alternative names.

Checks whether the certificate matches the given IP address (IPv4 or IPv6).

Only RFC 5280 iPAddress subject alternative names are considered, and they must match the given ip address exactly. Other subject alternative names as well as the subject field of the certificate are ignored.

Checks whether this certificate was issued by the given otherCert.

Checks whether the public key for this certificate is consistent with the given private key.

There is no standard JSON encoding for X509 certificates. ThetoJSON() method returns a string containing the PEM encoded certificate.

Returns information about this certificate using the legacy certificate object encoding.

Returns the PEM-encoded certificate.

Verifies that this certificate was signed by the given public key. Does not perform any other validation checks on the certificate.