ts/proxies/smart-proxy/utils/default-cert-generator.ts

import * as plugins from '../../../plugins.js';

/**
 * Generate a self-signed fallback certificate (CN=SmartProxy Default Certificate, SAN=*).
 * Used as the '*' wildcard fallback so TLS handshakes never reset due to missing certs.
 */
export function generateDefaultCertificate(): { cert: string; key: string } {
  const forge = plugins.smartcrypto.nodeForge;

  // Generate 2048-bit RSA keypair
  const keypair = forge.pki.rsa.generateKeyPair({ bits: 2048 });

  // Create self-signed X.509 certificate
  const cert = forge.pki.createCertificate();
  cert.publicKey = keypair.publicKey;
  cert.serialNumber = '01';
  cert.validity.notBefore = new Date();
  cert.validity.notAfter = new Date();
  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);

  const attrs = [{ name: 'commonName', value: 'SmartProxy Default Certificate' }];
  cert.setSubject(attrs);
  cert.setIssuer(attrs);

  // Add wildcard SAN
  cert.setExtensions([
    { name: 'subjectAltName', altNames: [{ type: 2 /* DNS */, value: '*' }] },
  ]);

  cert.sign(keypair.privateKey, forge.md.sha256.create());

  return {
    cert: forge.pki.certificateToPem(cert),
    key: forge.pki.privateKeyToPem(keypair.privateKey),
  };
}
BREAKING CHANGE(smart-proxy): move certificate persistence to an in-memory store and introduce consumer-managed certStore API; add default self-signed fallback cert and change ACME account handling 2026-02-13 16:32:02 +00:00			`import * as plugins from '../../../plugins.js';`

			`/**`
			`* Generate a self-signed fallback certificate (CN=SmartProxy Default Certificate, SAN=*).`
			`* Used as the '*' wildcard fallback so TLS handshakes never reset due to missing certs.`
			`*/`
			`export function generateDefaultCertificate(): { cert: string; key: string } {`
			`const forge = plugins.smartcrypto.nodeForge;`

			`// Generate 2048-bit RSA keypair`
			`const keypair = forge.pki.rsa.generateKeyPair({ bits: 2048 });`

			`// Create self-signed X.509 certificate`
			`const cert = forge.pki.createCertificate();`
			`cert.publicKey = keypair.publicKey;`
			`cert.serialNumber = '01';`
			`cert.validity.notBefore = new Date();`
			`cert.validity.notAfter = new Date();`
			`cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);`

			`const attrs = [{ name: 'commonName', value: 'SmartProxy Default Certificate' }];`
			`cert.setSubject(attrs);`
			`cert.setIssuer(attrs);`

			`// Add wildcard SAN`
			`cert.setExtensions([`
			`{ name: 'subjectAltName', altNames: [{ type: 2 /* DNS /, value: '' }] },`
			`]);`

			`cert.sign(keypair.privateKey, forge.md.sha256.create());`

			`return {`
			`cert: forge.pki.certificateToPem(cert),`
			`key: forge.pki.privateKeyToPem(keypair.privateKey),`
			`};`
			`}`