fix(ca): recover from partial CA initialization

construct_CertificateAuthority now checks for both
cakey.pem AND cacert.pem before skipping CA creation.

If only the private key exists (partial init from a
previous failure, e.g. OpenSSL 3.5 authorityKeyIdentifier
error), the stale key and CSR are deleted and the CA is
rebuilt from scratch.

Previously, a failed first init left cakey.pem behind,
causing all subsequent initialize() calls to skip CA
creation — leaving cacert.pem permanently missing.

Add test: "should recover from partial CA init"

Author: erossignon

packages/node-opcua-pki/lib/ca/certificate_authority.ts

@@ -151,11 +151,26 @@ async function construct_CertificateAuthority(certificateAuthority: CertificateA
 
     await construct_default_files();
 
-    if (fs.existsSync(path.join(caRootDir, "private/cakey.pem")) && !config.forceCA) {
-        // certificate already exists => do not overwrite
-        debugLog("CA private key already exists ... skipping");
+    const caKeyExists = fs.existsSync(path.join(caRootDir, "private/cakey.pem"));
+    const caCertExists = fs.existsSync(path.join(caRootDir, "public/cacert.pem"));
+    if (caKeyExists && caCertExists && !config.forceCA) {
+        // CA is fully initialized => do not overwrite
+        debugLog("CA private key and certificate already exist ... skipping");
         return;
     }
+    if (caKeyExists && !caCertExists) {
+        // Partial init: key exists but certificate does not.
+        // This can happen when a previous CA creation failed
+        // (e.g. OpenSSL 3.5 authorityKeyIdentifier error).
+        // Remove the stale key so the CA is rebuilt from scratch.
+        debugLog("CA private key exists but cacert.pem is missing — rebuilding CA");
+        fs.unlinkSync(path.join(caRootDir, "private/cakey.pem"));
+        // Also remove the stale CSR if present
+        const staleCsr = path.join(caRootDir, "private/cakey.csr");
+        if (fs.existsSync(staleCsr)) {
+            fs.unlinkSync(staleCsr);
+        }
+    }
 
     // tslint:disable:no-empty
     displayTitle("Create Certificate Authority (CA)");

test/test_certificate_authority.ts

@@ -50,6 +50,39 @@ describe("Certificate Authority", function (this: Mocha.Suite) {
         const ca = new CertificateAuthority(options as CertificateAuthorityOptions);
         await ca.initialize();
     });
+
+    it("should recover from partial CA init (key exists, cert missing)", async () => {
+        // Simulate a partial init: create directory with cakey.pem but no cacert.pem
+        const partialCALocation = path.join(testData.tmpFolder, "CA_partial");
+        const privateDir = path.join(partialCALocation, "private");
+        const publicDir = path.join(partialCALocation, "public");
+
+        fs.mkdirSync(privateDir, { recursive: true });
+        fs.mkdirSync(publicDir, { recursive: true });
+
+        // Create a dummy private key file to simulate the partial state
+        fs.writeFileSync(path.join(privateDir, "cakey.pem"), "STALE KEY DATA");
+
+        // cacert.pem intentionally NOT created
+
+        const ca = new CertificateAuthority({
+            keySize: 2048,
+            location: partialCALocation
+        });
+
+        // initialize() should detect the partial state, clean up, and rebuild
+        await ca.initialize();
+
+        // After recovery, both files should exist
+        fs.existsSync(path.join(privateDir, "cakey.pem")).should.eql(true);
+        fs.existsSync(path.join(publicDir, "cacert.pem")).should.eql(true);
+
+        // The CA should be functional — verify we can get the cert
+        const der = ca.getCACertificateDER();
+        Buffer.isBuffer(der).should.eql(true);
+        der.length.should.be.greaterThan(0);
+        der[0].should.eql(0x30); // DER SEQUENCE
+    });
 });
 
 describe("Signing Certificate with Certificate Authority", function (this: Mocha.Suite) {