npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

nodejs-self-signed-certificate-example

v1.1.2

Published

The end off all your self-sign certificate woes (in node.js at least)

Downloads

13

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

coolaj86coolaj86

Keywords

nodejssslself-signedcertificateauthoritycertificatesrootcacas

Readme

nodejs-self-signed-certificate-example

The end off all your self-signed certificate woes (in node.js at least)

This is an easy-as-git-clone example that will get you on your way without any DEPTH_ZERO_SELF_SIGNED_CERT or SSL certificate problem: Invalid certificate chain headaches.

See the explanation for the many details.

Also, you may be interested in coolaj86/nodejs-ssl-trusted-peer-example.

Test for yourself

An example that works.

example
├── make-root-ca-and-certificates.sh
├── package.json
├── serve.js
└── request-without-warnings.js

Get the repo

git clone https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example.git
pushd nodejs-self-signed-certificate-example
npm install

For the super impatient:

bash test.sh

Create certificates for your FQDN

localhost.daplie.com points to localhost, so it's ideal for your first test.

bash make-root-ca-and-certificates.sh 'localhost.daplie.com'
certs/
├── ca
│   ├── my-root-ca.crt.pem
│   ├── my-root-ca.key.pem
│   └── my-root-ca.srl
├── client
│   ├── chain.pem
│   └── pubkey.pem
├── server
│   ├── cert.pem
│   ├── chain.pem
│   ├── fullchain.pem
│   └── privkey.pem
└── tmp
    └── csr.pem

Run the server

node ./serve.js 8043 &
# use `fg` and `ctrl+c` to kill

Test in a client

Test (warning free) in node.js

node ./request-without-warnings.js 8043

Test (warning free) with cURL

curl -v https://localhost.daplie.com:8043 \
  --cacert certs/client/chain.pem

Note: on macOS curl's --cacert option may not work properly and so you may need to add the cert to the system keychain (described below)

Visit in a web browser

https://localhost.daplie.com:8043

To get rid of the warnings, simply add the certificate in the client folder to your list of certificates by alt-clicking "Open With => Keychain Access" on chain.pem

You do have to set Always Trust a few times as explained by Rob Peck.

Now season to taste

You can poke around in the files for generating the certificates, but all you really have to do is replace localhost.daplie.com with your very own domain name.

But where's the magic?

Who's the man behind the curtain you ask?

Well... I lied. This demo doesn't use self-signed certificates (not in the server at least). It uses a self-signed Root CA and a signed certificate.

It turns out that self-signed certificates were designed to be used by the Root Certificate Authorities, not by web servers.

So instead of trying to work through eleventeen brazillion errors about self-signed certs, you can just create an authority and then add the authority to your chain (viola, now it's trusted).

Client Authentication

In the example above, the server trusts the client without the need for the client to be authenticated. So, a common enhancement to the example above would be to add client authentication. To add client authentication, it's necessary to generate a client key and have it signed by the CA defined above. Execute make-client-key-certificate.sh to generate key and certificate. To use generated key and certificate, key, cert and passphrase TLS options need to be added, e.g.:

var ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'chain.pem'));
var key = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'privkey.pem'));
var passphrase = 'secret';
var cert = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'cert.pem'));

var options = {
  host: hostname
, port: port
, path: '/'
, ca: ca
, key: key
, passphrase: passphrase
, cert: cert
};

Generating Java Key Stores

If the server component is written in Java, the server needs to be plugged with a Java KeyStore containing security certificates. In the example above, the fullchain.pem file needs to be converted into a Java KeyStore file. To create a Java KeyStore file, the JDK needs to be installed and have keytool utility in the path. To do that, please follow these instructions:

$ mkdir certs/java/server
$ openssl pkcs12 \
  -export \
  -inkey certs/server/privkey.pem \
  -in certs/server/fullchain.pem \
  -name test \
  -out certs/java/server/keystore_server.p12
$ keytool \
  -importkeystore \
  -srckeystore certs/java/server/keystore_server.p12 \
  -srcstoretype pkcs12 \
  -destkeystore certs/java/server/keystore_server.jks

Trust Store for Client Authentication

If using client authentication, it is necessary for the server to trust to the client. To do that, it's necessary for a trust store to be created that contains the client's public key. Such a trust store can be created using these steps:

$ rsync -a certs/ca/my-root-ca.crt.pem certs/client-auth/chain.pem
$ cat certs/client-auth/cert.pem certs/client-auth/chain.pem > certs/client-auth/fullchain.pem
$ openssl pkcs12
  \-export
  \-inkey certs/client-auth/privkey.pem
  \-in certs/client-auth/fullchain.pem
  \-name test
  \-out certs/infinispan/trustore_server.p12
$ keytool
  \-importkeystore
  \-srckeystore certs/infinispan/trustore_server.p12
  \-srcstoretype pkcs12
  \-destkeystore certs/infinispan/trustore_server.jks

Other SSL Resources

Zero-Config clone 'n' run (tm) Repos:

Articles