2014-07-15 02:50:17 +00:00
|
|
|
nodejs-self-signed-certificate-example
|
|
|
|
======================================
|
|
|
|
|
2014-07-15 03:20:49 +00:00
|
|
|
The end off all your self-signed certificate woes (in node.js at least)
|
|
|
|
|
2014-07-15 03:38:33 +00:00
|
|
|
This is an easy-as-git-clone example that will get you on your way without
|
|
|
|
any `DEPTH_ZERO_SELF_SIGNED_CERT` or `SSL certificate problem: Invalid certificate chain` headaches.
|
|
|
|
|
|
|
|
See
|
|
|
|
[the explanation](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js) for
|
|
|
|
the many details.
|
|
|
|
|
2014-07-15 03:20:49 +00:00
|
|
|
Test for yourself
|
|
|
|
---
|
|
|
|
|
2014-07-15 03:38:33 +00:00
|
|
|
An example that works.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
example
|
|
|
|
├── make-root-ca-and-certificates.sh
|
2014-07-15 04:11:58 +00:00
|
|
|
├── package.json
|
2014-07-15 03:38:33 +00:00
|
|
|
├── serve.js
|
2014-07-15 04:11:58 +00:00
|
|
|
└── request-without-warnings.js
|
2014-07-15 03:38:33 +00:00
|
|
|
```
|
2014-07-15 03:20:49 +00:00
|
|
|
|
|
|
|
### Get the repo
|
|
|
|
|
|
|
|
```bash
|
|
|
|
git clone git@github.com:coolaj86/nodejs-self-signed-certificate-example.git
|
|
|
|
pushd nodejs-self-signed-certificate-example
|
|
|
|
npm install
|
|
|
|
```
|
|
|
|
|
|
|
|
**For the super impatient**:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
bash test.sh
|
|
|
|
```
|
|
|
|
|
2014-07-15 03:38:33 +00:00
|
|
|
### Create certificates for your FQDN
|
2014-07-15 03:20:49 +00:00
|
|
|
|
|
|
|
`local.ldsconnect.org` points to `localhost`, so it's ideal for your first test.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
bash make-root-ca-and-certificates.sh 'local.ldsconnect.org'
|
|
|
|
```
|
|
|
|
|
2014-07-15 04:11:58 +00:00
|
|
|
```
|
2014-07-16 04:54:02 +00:00
|
|
|
certs/
|
|
|
|
├── ca
|
|
|
|
│ ├── my-root-ca.crt.pem
|
|
|
|
│ ├── my-root-ca.key.pem
|
|
|
|
│ └── my-root-ca.srl
|
|
|
|
├── client
|
|
|
|
│ ├── my-root-ca.crt.pem
|
|
|
|
│ └── my-server.pub
|
2014-07-15 04:11:58 +00:00
|
|
|
├── server
|
2014-07-16 04:54:02 +00:00
|
|
|
│ ├── my-root-ca.crt.pem
|
|
|
|
│ ├── my-server.crt.pem
|
|
|
|
│ └── my-server.key.pem
|
|
|
|
└── tmp
|
|
|
|
└── my-server.csr.pem
|
2014-07-15 04:11:58 +00:00
|
|
|
```
|
|
|
|
|
2014-07-15 03:20:49 +00:00
|
|
|
### Run the server
|
|
|
|
|
|
|
|
```bash
|
2014-07-15 03:38:33 +00:00
|
|
|
node ./serve.js 8043 &
|
2014-07-15 03:20:49 +00:00
|
|
|
# use `fg` and `ctrl+c` to kill
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### Test in a client
|
|
|
|
|
|
|
|
Test (warning free) in node.js
|
|
|
|
|
|
|
|
```bash
|
2014-07-15 03:38:33 +00:00
|
|
|
node ./request-without-warnings.js 8043
|
2014-07-15 03:20:49 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Test (warning free) with cURL
|
|
|
|
|
|
|
|
```bash
|
|
|
|
curl -v https://local.ldsconnect.org \
|
2014-07-16 04:54:02 +00:00
|
|
|
--cacert client/my-root-ca.crt.pem
|
2014-07-15 03:20:49 +00:00
|
|
|
```
|
|
|
|
|
2014-07-15 03:59:58 +00:00
|
|
|
Visit in a web browser
|
|
|
|
|
|
|
|
<https://local.ldsconnect.org>
|
|
|
|
|
|
|
|
To get rid of the warnings, simply add the certificate in the `client` folder
|
|
|
|
to your list of certificates by alt-clicking "Open With => Keychain Access"
|
2014-07-16 04:54:02 +00:00
|
|
|
on `my-root-ca.crt.pem`
|
2014-07-15 03:59:58 +00:00
|
|
|
|
|
|
|
You do have to set `Always Trust` a few times
|
|
|
|
[as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck.
|
|
|
|
|
2014-07-15 03:20:49 +00:00
|
|
|
Now season to taste
|
|
|
|
---
|
|
|
|
|
|
|
|
You can poke around in the files for generating the certificates,
|
|
|
|
but all you really have to do is replace `local.ldsconnect.org`
|
|
|
|
with your very own domain name.
|
|
|
|
|
|
|
|
But where's the magic?
|
|
|
|
====
|
|
|
|
|
|
|
|
Who's the man behind the curtain you ask?
|
|
|
|
|
2014-07-15 04:09:41 +00:00
|
|
|
Well... I lied. This demo doesn't use self-signed certificates
|
|
|
|
(not in the server at least).
|
2014-07-15 03:20:49 +00:00
|
|
|
It uses a self-signed Root CA and a signed certificate.
|
|
|
|
|
|
|
|
It turns out that self-signed certificates were designed to be
|
|
|
|
used by the Root Certificate Authorities, not by web servers.
|
|
|
|
|
|
|
|
So instead of trying to work through eleventeen brazillion errors
|
|
|
|
about self-signed certs, you can just create an authority and then
|
|
|
|
add the authority to your chain (viola, now it's trusted).
|