• Public
  • Public/Protected
  • All

Class CertificationRequest

Represents the CertificationRequest structure described in RFC2986


The following example demonstrates how to parse PKCS#11 certification request and verify its challenge password extension and signature value

const pkcs10 = pkijs.CertificationRequest.fromBER(pkcs10Raw);

// Get and validate challenge password extension
if (pkcs10.attributes) {
const attrExtensions = pkcs10.attributes.find(o => o.type === "1.2.840.113549.1.9.14"); // pkcs-9-at-extensionRequest
if (attrExtensions) {
const extensions = new pkijs.Extensions({ schema: attrExtensions.values[0] });
for (const extension of extensions.extensions) {
if (extension.extnID === "1.2.840.113549.1.9.7") { // pkcs-9-at-challengePassword
const asn = asn1js.fromBER(extension.extnValue.valueBlock.valueHex);
if (asn.result.valueBlock.value !== "passwordChallenge") {
throw new Error("PKCS#11 certification request is invalid. Challenge password is incorrect");

// Verify signature value
const ok = await pkcs10.verify();
if (!ok) {
throw Error("PKCS#11 certification request is invalid. Signature is wrong")

The following example demonstrates how to create PKCS#11 certification request

// Get a "crypto" extension
const crypto = pkijs.getCrypto(true);

const pkcs10 = new pkijs.CertificationRequest();

pkcs10.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
type: "",
value: new asn1js.Utf8String({ value: "Test" })

await pkcs10.subjectPublicKeyInfo.importKey(keys.publicKey);

pkcs10.attributes = [];

// Subject Alternative Name
const altNames = new pkijs.GeneralNames({
names: [
new pkijs.GeneralName({ // email
type: 1,
value: "[email protected]"
new pkijs.GeneralName({ // domain
type: 2,
value: "www.domain.com"

// SubjectKeyIdentifier
const subjectKeyIdentifier = await crypto.digest({ name: "SHA-1" }, pkcs10.subjectPublicKeyInfo.subjectPublicKey.valueBlock.valueHex);

pkcs10.attributes.push(new pkijs.Attribute({
type: "1.2.840.113549.1.9.14", // pkcs-9-at-extensionRequest
values: [(new pkijs.Extensions({
extensions: [
new pkijs.Extension({
extnID: "", // id-ce-subjectKeyIdentifier
critical: false,
extnValue: (new asn1js.OctetString({ valueHex: subjectKeyIdentifier })).toBER(false)
new pkijs.Extension({
extnID: "", // id-ce-subjectAltName
critical: false,
extnValue: altNames.toSchema().toBER(false)
new pkijs.Extension({
extnID: "1.2.840.113549.1.9.7", // pkcs-9-at-challengePassword
critical: false,
extnValue: (new asn1js.PrintableString({ value: "passwordChallenge" })).toBER(false)

// Signing final PKCS#10 request
await pkcs10.sign(keys.privateKey, "SHA-256");

const pkcs10Raw = pkcs10.toSchema(true).toBER();






attributes?: Attribute[]

Collection of attributes providing additional information about the subject of the certificate

signatureAlgorithm: AlgorithmIdentifier

signature algorithm (and any associated parameters) under which the certification-request information is signed

signatureValue: BitString

result of signing the certification request information with the certification request subject's private key

Distinguished name of the certificate subject

subjectPublicKeyInfo: PublicKeyInfo

Information about the public key being certified

tbsView: Uint8Array
version: number

Version number. It should be 0

CLASS_NAME: string = "CertificationRequest"

Name of the class


  • get className(): string
  • get tbs(): ArrayBuffer
  • set tbs(value: ArrayBuffer): void


  • encodeTBS(): Sequence
  • fromSchema(schema: any): void
  • sign(privateKey: CryptoKey, hashAlgorithm?: string, crypto?: ICryptoEngine): Promise<void>
  • Makes signature for current certification request


    • privateKey: CryptoKey

      WebCrypto private key

    • hashAlgorithm: string = "SHA-1"

      String representing current hashing algorithm

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<void>

  • toSchema(encodeFlag?: boolean): Sequence
  • toString(encoding?: "base64" | "base64url" | "hex"): string
  • Verify existing certification request signature


    Returns Promise<boolean>

    Returns true if signature value is valid, otherwise false

  • blockName(): string
  • defaultValues(memberName: "tbs"): ArrayBuffer
  • defaultValues(memberName: "version"): number
  • defaultValues(memberName: "subject"): RelativeDistinguishedNames
  • defaultValues(memberName: "subjectPublicKeyInfo"): PublicKeyInfo
  • defaultValues(memberName: "attributes"): Attribute[]
  • defaultValues(memberName: "signatureAlgorithm"): AlgorithmIdentifier
  • defaultValues(memberName: "signatureValue"): BitString
  • fromBER<T>(this: PkiObjectConstructor<T>, raw: BufferSource): T
  • Creates PKI object from the raw data

    Type Parameters


    • this: PkiObjectConstructor<T>
    • raw: BufferSource

      ASN.1 encoded raw data

    Returns T

    Initialized and filled current class object

  • Returns value of pre-defined ASN.1 schema for current class


    ASN.1 schema

    CertificationRequest ::= SEQUENCE {
       certificationRequestInfo CertificationRequestInfo,
       signatureAlgorithm       AlgorithmIdentifier{{ SignatureAlgorithms }},
       signature                BIT STRING


    Returns any

    ASN.1 schema object

Generated using TypeDoc