import type { AnyKey, CertOptions, CommonCertLogOptions, CommonCertOptions, CtoCertOptions, RequiredCertOptions, RequiredCommonCertOptions } from './types.js';
import { KEYCHAIN_SERVICE, KeyCert, SELF_SIGNED, type SecretEntry } from './cert.js';
import { type LogOptions, type Logger } from '@cto.af/log';
export type { AnyKey, CertOptions, CommonCertLogOptions, CommonCertOptions, CtoCertOptions, RequiredCertOptions as RequiredCtoCertOptions, RequiredCommonCertOptions, SecretEntry, };
export { KEYCHAIN_SERVICE, KeyCert, SELF_SIGNED, };
export declare const DEFAULT_CA_OPTIONS: RequiredCommonCertOptions;
export declare const DEFAULT_COMMON_CERT_OPTIONS: RequiredCommonCertOptions;
export declare const COMMON_CERT_OPTIONS_NAMES: Set<keyof CommonCertOptions>;
export declare const DEFAULT_CERT_OPTIONS: RequiredCertOptions;
/**
 * Extract CA options from mixed options.
 *
 * @param options Original options.
 * @returns Extracted CA options.
 */
export declare function getCAoptions(options?: CertOptions): CommonCertLogOptions;
/**
 * Extract leaf certificate options from mixed options.
 *
 * @param options Original options.
 * @returns Extracted options.
 */
export declare function getIssueOptions(options?: CertOptions): CommonCertLogOptions;
/**
 * Certificate Authority that does local storage, intended for testing on the
 * local machine.
 *
 * WARNING: Not intended for scale or actual security.  DO NOT deploy on the
 * Internet in the current form.
 */
export declare class CertificateAuthority {
    #private;
    constructor(options?: CommonCertLogOptions);
    /**
     * Create a child logger for the CA's use.
     *
     * @param logOpts Options for logging.
     * @returns Child logger.
     */
    static logger(logOpts?: LogOptions): Logger;
    /**
     * List all of the CA certs.
     *
     * @param options Options, of which dir is the most important.
     * @yields Instantiated instances of CA KeyCert's.
     */
    static list(options: CommonCertLogOptions): AsyncGenerator<KeyCert>;
    /**
     * Mostly-internal, for initialization.  Must be called before any substantive
     * work is done.
     *
     * @returns CA KeyCert.
     */
    init(): Promise<KeyCert>;
    /**
     * Issue a certificate for use in an HTTPS server.  May read from existing
     * on-disk cert and in-keychain key.  Will generate a new cert if the old
     * one is no longer valid.
     *
     * @param options Options.
     * @returns Initialized KeyCert.
     */
    issue(options?: CommonCertOptions): Promise<KeyCert>;
    issueNew(options?: CommonCertOptions, now?: Date): KeyCert;
    /**
     * Delete the CA certificate and key.
     */
    delete(): Promise<void>;
    /**
     * Delete the given certificate and key.
     */
    delete(cert: KeyCert): Promise<void>;
    /**
     * Delete the certificate pointed to by the options dir and host.
     *
     * @param options Options.
     */
    delete(options: CommonCertOptions): Promise<void>;
    /**
     * List the certs in the local directory.
     *
     * @param options Options, of which dir is the most important.
     * @yields Already-read KeyCert instances.
     */
    list(options: CommonCertLogOptions): AsyncGenerator<KeyCert>;
}
/**
 * Read a valid CA cert, or create a new one, writing it.
 *
 * @param options Cert options.
 * @returns Private Key / Certificate for CA.
 */
export declare function createCA(options?: CertOptions): Promise<KeyCert>;
/**
 * Create a CA-signed localhost certificate.
 *
 * @param options Certificate options.
 * @returns Cert and private key.
 */
export declare function createCert(options?: CertOptions): Promise<KeyCert>;