|
2 years ago | |
---|---|---|
.gitignore | 2 years ago | |
LICENSE | 2 years ago | |
README.md | 2 years ago | |
make-client-key-and-certificate.sh | 2 years ago | |
make-root-ca-and-certificates.sh | 4 years ago | |
package.json | 2 years ago | |
request-with-request.js | 4 years ago | |
request-without-warnings.js | 4 years ago | |
serve.js | 4 years ago | |
test.sh | 4 years ago |
The end off all your self-signed certificate woes (in node.js at least)
This is an easy-as-git-clone example that will get you on your way without
any DEPTH_ZERO_SELF_SIGNED_CERT
or SSL certificate problem: Invalid certificate chain
headaches.
See the explanation for the many details.
Also, you may be interested in coolaj86/nodejs-ssl-trusted-peer-example.
An example that works.
example
├── make-root-ca-and-certificates.sh
├── package.json
├── serve.js
└── request-without-warnings.js
git clone https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example.git
pushd nodejs-self-signed-certificate-example
npm install
For the super impatient:
bash test.sh
localhost.daplie.com
points to localhost
, so it's ideal for your first test.
bash make-root-ca-and-certificates.sh 'localhost.daplie.com'
certs/
├── ca
│ ├── my-root-ca.crt.pem
│ ├── my-root-ca.key.pem
│ └── my-root-ca.srl
├── client
│ ├── chain.pem
│ └── pubkey.pem
├── server
│ ├── cert.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── privkey.pem
└── tmp
└── csr.pem
node ./serve.js 8043 &
# use `fg` and `ctrl+c` to kill
Test (warning free) in node.js
node ./request-without-warnings.js 8043
Test (warning free) with cURL
curl -v https://localhost.daplie.com:8043 \
--cacert certs/client/chain.pem
Note: on macOS curl's --cacert
option may not work properly
and so you may need to add the cert to the system keychain (described below)
Visit in a web browser
https://localhost.daplie.com:8043
To get rid of the warnings, simply add the certificate in the client
folder
to your list of certificates by alt-clicking "Open With => Keychain Access"
on chain.pem
You do have to set Always Trust
a few times
as explained by Rob Peck.
You can poke around in the files for generating the certificates,
but all you really have to do is replace localhost.daplie.com
with your very own domain name.
Who's the man behind the curtain you ask?
Well... I lied. This demo doesn't use self-signed certificates (not in the server at least). It uses a self-signed Root CA and a signed certificate.
It turns out that self-signed certificates were designed to be used by the Root Certificate Authorities, not by web servers.
So instead of trying to work through eleventeen brazillion errors about self-signed certs, you can just create an authority and then add the authority to your chain (viola, now it's trusted).
In the example above, the server trusts the client without the need for the client to be authenticated.
So, a common enhancement to the example above would be to add client authentication.
To add client authentication, it's necessary to generate a client key and have it signed by the CA defined above.
Execute make-client-key-certificate.sh
to generate key and certificate.
To use generated key and certificate, key
, cert
and passphrase
TLS options need to be added, e.g.:
var ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'chain.pem'));
var key = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'privkey.pem'));
var passphrase = 'secret';
var cert = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'cert.pem'));
var options = {
host: hostname
, port: port
, path: '/'
, ca: ca
, key: key
, passphrase: passphrase
, cert: cert
};
If the server component is written in Java, the server needs to be plugged with a Java KeyStore containing security certificates.
In the example above, the fullchain.pem
file needs to be converted into a Java KeyStore file.
To create a Java KeyStore file, the JDK needs to be installed and have keytool
utility in the path.
To do that, please follow these instructions:
$ mkdir certs/java/server
$ openssl pkcs12 \
-export \
-inkey certs/server/privkey.pem \
-in certs/server/fullchain.pem \
-name test \
-out certs/java/server/keystore_server.p12
$ keytool \
-importkeystore \
-srckeystore certs/java/server/keystore_server.p12 \
-srcstoretype pkcs12 \
-destkeystore certs/java/server/keystore_server.jks
If using client authentication, it is necessary for the server to trust to the client. To do that, it's necessary for a trust store to be created that contains the client's public key. Such a trust store can be created using these steps:
$ rsync -a certs/ca/my-root-ca.crt.pem certs/client-auth/chain.pem
$ cat certs/client-auth/cert.pem certs/client-auth/chain.pem > certs/client-auth/fullchain.pem
$ openssl pkcs12
\-export
\-inkey certs/client-auth/privkey.pem
\-in certs/client-auth/fullchain.pem
\-name test
\-out certs/infinispan/trustore_server.p12
$ keytool
\-importkeystore
\-srckeystore certs/infinispan/trustore_server.p12
\-srcstoretype pkcs12
\-destkeystore certs/infinispan/trustore_server.jks
Zero-Config clone 'n' run (tm) Repos:
Articles