import type { RSAKey, KJUR } from 'jsrsasign';

/**
 * CA private key type - can be a PEM string or a jsrsasign key object
 */
type CAPrivateKey = string | RSAKey | KJUR.crypto.DSA | KJUR.crypto.ECDSA;

/**
 * Default Common Name for the root CA certificate.
 */
export const DEFAULT_CA_NAME: string;

/**
 * Generate a root Certificate Authority (CA) certificate.
 *
 * @param options - Options for generating the CA
 * @param options.name - Common Name for the CA certificate (default: "io.Gateway Dev CA user@host")
 * @param options.passphrase - Optional passphrase to protect the private key
 * @returns Object containing the private key and certificate in PEM format
 */
export function generateRootCA(options?: { name?: string, passphrase?: string }): {
    key: string;
    cert: string;
};


/**
 * Generate a certificate with custom SAN (Subject Alternative Name) entries.
 *
 * @param caKey - CA private key (PEM string or jsrsasign key object)
 * @param issuer - Issuer DN string from CA certificate
 * @param sanEntries - Array of SAN entries (e.g., "localhost", "IP:192.168.1.1", "EMAIL:user@example.com")
 * @param isClient - Generate client certificate (clientAuth) vs server certificate (serverAuth) (default: false)
 * @param validityDays - Certificate validity in days (default: 7)
 * @returns Object containing the private key and certificate in PEM format
 */
export function generateCert(
    caKey: CAPrivateKey,
    issuer: string,
    sanEntries: string[],
    isClient?: boolean,
    validityDays?: number
): {
    key: string;
    cert: string;
};

