https://github.com/lepresk/pki-infrastructure

Three-tier PKI in Node.js — Root CA, Intermediate CA, signing certificates, chain verification, and document signing
https://github.com/lepresk/pki-infrastructure

certificate-authority cryptography nodejs pki typescript x509

Last synced: 8 days ago
JSON representation

Three-tier PKI in Node.js — Root CA, Intermediate CA, signing certificates, chain verification, and document signing

• Host: GitHub
• URL: https://github.com/lepresk/pki-infrastructure
• Owner: lepresk
• Created: 2026-02-27T08:23:20.000Z (4 months ago)
• Default Branch: master
• Last Pushed: 2026-02-27T08:26:13.000Z (4 months ago)
• Last Synced: 2026-02-27T14:06:36.649Z (4 months ago)
• Topics: certificate-authority, cryptography, nodejs, pki, typescript, x509
• Language: TypeScript
• Size: 9.77 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# pki-infrastructure

![Build a Complete PKI from Scratch in Node.js](https://lepresk.com/storage/posts/featured-images/01KHNYFVHQ74AK5HPTT59EK614.webp)

Node.js implementation of a three-tier Public Key Infrastructure — Root CA, Intermediate CA, and leaf signing certificates — using `node-forge` and the built-in `crypto` module.

This is the companion code for the article: [Build a Complete PKI from Scratch in Node.js](https://lepresk.com/blog/build-a-complete-pki-from-scratch-in-nodejs)

Repository: [github.com/lepresk/pki-infrastructure](https://github.com/lepresk/pki-infrastructure)

## Requirements

- Node.js 20 or later

- pnpm

## Getting started

```bash

git clone https://github.com/lepresk/pki-infrastructure.git

cd pki-infrastructure

pnpm install

pnpm dev

```

## What it does

Running the demo generates a full certificate chain and exercises signing and verification:

1. Creates a self-signed Root CA (4096-bit RSA, 10-year validity)

2. Issues an Intermediate CA signed by the Root CA (2048-bit, 5-year validity)

3. Issues a leaf signing certificate signed by the Intermediate CA (2048-bit, 2-year validity)

4. Verifies the certificate chain

5. Signs a document and verifies the signature against the original and a tampered version

Certificates are written to `pki/` as PEM files. That directory is excluded from git — never commit private keys.

## Project structure

```

src/

  types.ts     — shared interfaces

  crypto.ts    — key decryption, sign, verify

  pki.ts       — CA and certificate generation, chain verification

  storage.ts   — read/write PEM files

  index.ts     — end-to-end demo

```

## A note on AES-256 key decryption

`node-forge` silently returns `null` when decrypting AES-256 encrypted private keys in some Node.js versions. The workaround in `src/crypto.ts` uses the built-in `crypto` module to decrypt the key and re-exports it as unencrypted PKCS#1 before handing it back to forge. See the article for a full explanation.

## License

MIT