Class CertificationRequest

Represents the CertificationRequest structure described in RFC2986


The following example demonstrates how to parse PKCS#11 certification request and verify its challenge password extension and signature value

const pkcs10 = pkijs.CertificationRequest.fromBER(pkcs10Raw);

// Get and validate challenge password extension
if (pkcs10.attributes) {
const attrExtensions = pkcs10.attributes.find(o => o.type === "1.2.840.113549.1.9.14"); // pkcs-9-at-extensionRequest
if (attrExtensions) {
const extensions = new pkijs.Extensions({ schema: attrExtensions.values[0] });
for (const extension of extensions.extensions) {
if (extension.extnID === "1.2.840.113549.1.9.7") { // pkcs-9-at-challengePassword
const asn = asn1js.fromBER(extension.extnValue.valueBlock.valueHex);
if (asn.result.valueBlock.value !== "passwordChallenge") {
throw new Error("PKCS#11 certification request is invalid. Challenge password is incorrect");

// Verify signature value
const ok = await pkcs10.verify();
if (!ok) {
throw Error("PKCS#11 certification request is invalid. Signature is wrong")


The following example demonstrates how to create PKCS#11 certification request

// Get a "crypto" extension
const crypto = pkijs.getCrypto(true);

const pkcs10 = new pkijs.CertificationRequest();

pkcs10.subject.typesAndValues.push(new pkijs.AttributeTypeAndValue({
type: "",
value: new asn1js.Utf8String({ value: "Test" })

await pkcs10.subjectPublicKeyInfo.importKey(keys.publicKey);

pkcs10.attributes = [];

// Subject Alternative Name
const altNames = new pkijs.GeneralNames({
names: [
new pkijs.GeneralName({ // email
type: 1,
value: "[email protected]"
new pkijs.GeneralName({ // domain
type: 2,
value: ""

// SubjectKeyIdentifier
const subjectKeyIdentifier = await crypto.digest({ name: "SHA-1" }, pkcs10.subjectPublicKeyInfo.subjectPublicKey.valueBlock.valueHex);

pkcs10.attributes.push(new pkijs.Attribute({
type: "1.2.840.113549.1.9.14", // pkcs-9-at-extensionRequest
values: [(new pkijs.Extensions({
extensions: [
new pkijs.Extension({
extnID: "", // id-ce-subjectKeyIdentifier
critical: false,
extnValue: (new asn1js.OctetString({ valueHex: subjectKeyIdentifier })).toBER(false)
new pkijs.Extension({
extnID: "", // id-ce-subjectAltName
critical: false,
extnValue: altNames.toSchema().toBER(false)
new pkijs.Extension({
extnID: "1.2.840.113549.1.9.7", // pkcs-9-at-challengePassword
critical: false,
extnValue: (new asn1js.PrintableString({ value: "passwordChallenge" })).toBER(false)

// Signing final PKCS#10 request
await pkcs10.sign(keys.privateKey, "SHA-256");

const pkcs10Raw = pkcs10.toSchema(true).toBER();





attributes?: Attribute[]

Collection of attributes providing additional information about the subject of the certificate

signatureAlgorithm: AlgorithmIdentifier

signature algorithm (and any associated parameters) under which the certification-request information is signed

signatureValue: BitString

result of signing the certification request information with the certification request subject's private key

Distinguished name of the certificate subject

subjectPublicKeyInfo: PublicKeyInfo

Information about the public key being certified

tbsView: Uint8Array
version: number

Version number. It should be 0

CLASS_NAME: string = "CertificationRequest"

Name of the class


  • get className(): string
  • Returns string


  • Makes signature for current certification request


    • privateKey: CryptoKey

      WebCrypto private key

    • hashAlgorithm: string = "SHA-1"

      String representing current hashing algorithm

    • crypto: ICryptoEngine = ...

      Crypto engine

    Returns Promise<void>

  • Converts current object to ASN.1 object and sets correct values


    ASN.1 object


    • encodeFlag: boolean = false

      If param equal to false then creates schema via decoding stored value. In other case creates schema via assembling from cached parts

    Returns Sequence

  • Parameters

    • encoding: "base64" | "base64url" | "hex" = "hex"

    Returns string

  • Creates PKI object from the raw data


    Initialized and filled current class object

    Type Parameters


    • this: PkiObjectConstructor<T>
    • raw: BufferSource

      ASN.1 encoded raw data

    Returns T

Generated using TypeDoc