import { Logger } from '@cto.af/log';
import rs from 'jsrsasign';

interface CertOptions {
    /**
     * Subject Distinguished Name for CA.
     */
    caSubject?: string;
    /**
     * Minimum number of days the serve can run.  Ensure the cert will good
     * at least this long.
     */
    minRunDays?: number;
    /** Certificate invalid after this many days, server restart required. */
    notAfterDays?: number;
    /** Relative to cwd. */
    certDir?: string;
    /** Relative to cwd. */
    caDir?: string;
    /** Hostname for cert.  Used for subject CN, DNS subjectAltName. */
    host?: string;
    /** Always create a new CA cert, even if one exists and is valid. */
    forceCA?: boolean;
    /** Always create a new certificate, even if one exists and is valid. */
    forceCert?: boolean;
    /**
     * 0 for info. +verbose, -quiet.
     */
    logLevel?: number;
    /**
     * Log to a file instead.
     */
    logFile?: string | null;
    /**
     * Already have a log file?
     */
    log?: Logger | null;
    /**
     * If true, do not read the key.
     */
    noKey?: boolean;
}
type RequiredCertOptions = Required<CertOptions>;
type AnyKey = rs.RSAKey | rs.KJUR.crypto.DSA | rs.KJUR.crypto.ECDSA;

declare class KeyCert {
    #private;
    readonly name: string;
    readonly key: string | undefined;
    readonly cert: string;
    readonly notAfter: Date;
    readonly notBefore: Date;
    readonly subject: string;
    readonly issuer: string;
    readonly serial: string;
    readonly ca: KeyCert | undefined;
    constructor(name: string, key: AnyKey | string | undefined, cert: rs.KJUR.asn1.x509.Certificate | string, ca?: KeyCert);
    static read(opts: RequiredCertOptions, name: string, ca?: KeyCert): Promise<KeyCert | null>;
    delete(opts: RequiredCertOptions): Promise<void>;
    write(opts: RequiredCertOptions): Promise<void>;
}

declare const DEFAULT_CERT_OPTIONS: RequiredCertOptions;
/**
 * Read a valid CA cert, or create a new one, writing it.
 *
 * @param options Cert options.
 * @returns Private Key / Certificate for CA.
 */
declare function createCA(options: CertOptions): Promise<KeyCert>;
/**
 * Create a CA-signed localhost certificate.
 *
 * @param options Certificate options.
 * @returns Cert and private key.
 */
declare function createCert(options: CertOptions): Promise<KeyCert>;

export { type AnyKey, type CertOptions, DEFAULT_CERT_OPTIONS, KeyCert, type RequiredCertOptions, createCA, createCert };