nodejs-self-signed-certificate-example ====================================== The end off all your self-signed certificate woes (in node.js at least) This is an easy-as-git-clone example that will get you on your way without any `DEPTH_ZERO_SELF_SIGNED_CERT` or `SSL certificate problem: Invalid certificate chain` headaches. See [the explanation](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js) for the many details. Also, you may be interested in [coolaj86/nodejs-ssl-trusted-peer-example](https://git.coolaj86.com/coolaj86/nodejs-ssl-trusted-peer-example). Test for yourself --- An example that works. ```bash example ├── make-root-ca-and-certificates.sh ├── package.json ├── serve.js └── request-without-warnings.js ``` ### Get the repo ```bash git clone https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example.git pushd nodejs-self-signed-certificate-example npm install ``` **For the super impatient**: ```bash bash test.sh ``` ### Create certificates for your FQDN `localhost.daplie.com` points to `localhost`, so it's ideal for your first test. ```bash bash make-root-ca-and-certificates.sh 'localhost.daplie.com' ``` ``` certs/ ├── ca │   ├── my-root-ca.crt.pem │   ├── my-root-ca.key.pem │   └── my-root-ca.srl ├── client │   ├── chain.pem │   └── pubkey.pem ├── server │   ├── cert.pem │   ├── chain.pem │   ├── fullchain.pem │   └── privkey.pem └── tmp └── csr.pem ``` ### Run the server ```bash node ./serve.js 8043 & # use `fg` and `ctrl+c` to kill ``` ### Test in a client Test (warning free) in node.js ```bash node ./request-without-warnings.js 8043 ``` Test (warning free) with cURL ```bash curl -v https://localhost.daplie.com:8043 \ --cacert certs/client/chain.pem ``` Note: on macOS curl's `--cacert` option may not work properly and so you may need to add the cert to the system keychain (described below) Visit in a web browser To get rid of the warnings, simply add the certificate in the `client` folder to your list of certificates by alt-clicking "Open With => Keychain Access" on `chain.pem` You do have to set `Always Trust` a few times [as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck. Now season to taste --- You can poke around in the files for generating the certificates, but all you really have to do is replace `localhost.daplie.com` with your very own domain name. But where's the magic? ==== Who's the man behind the curtain you ask? Well... I lied. This demo doesn't use self-signed certificates (not in the server at least). It uses a self-signed Root CA and a signed certificate. It turns out that self-signed certificates were designed to be used by the Root Certificate Authorities, not by web servers. So instead of trying to work through eleventeen brazillion errors about self-signed certs, you can just create an authority and then add the authority to your chain (viola, now it's trusted). Client Authentication ==== In the example above, the server trusts the client without the need for the client to be authenticated. So, a common enhancement to the example above would be to add client authentication. To add client authentication, it's necessary to generate a client key and have it signed by the CA defined above. Execute `make-client-key-certificate.sh` to generate key and certificate. To use generated key and certificate, `key`, `cert` and `passphrase` TLS options need to be added, e.g.: ``` var ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'chain.pem')); var key = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'privkey.pem')); var passphrase = 'secret'; var cert = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'cert.pem')); var options = { host: hostname , port: port , path: '/' , ca: ca , key: key , passphrase: passphrase , cert: cert }; ``` Generating Java Key Stores ==== If the server component is written in Java, the server needs to be plugged with a Java KeyStore containing security certificates. In the example above, the `fullchain.pem` file needs to be converted into a Java KeyStore file. To create a Java KeyStore file, the JDK needs to be installed and have `keytool` utility in the path. To do that, please follow these instructions: $ mkdir certs/java/server $ openssl pkcs12 \ -export \ -inkey certs/server/privkey.pem \ -in certs/server/fullchain.pem \ -name test \ -out certs/java/server/keystore_server.p12 $ keytool \ -importkeystore \ -srckeystore certs/java/server/keystore_server.p12 \ -srcstoretype pkcs12 \ -destkeystore certs/java/server/keystore_server.jks Trust Store for Client Authentication ---- If using client authentication, it is necessary for the server to trust to the client. To do that, it's necessary for a trust store to be created that contains the client's public key. Such a trust store can be created using these steps: $ rsync -a certs/ca/my-root-ca.crt.pem certs/client-auth/chain.pem $ cat certs/client-auth/cert.pem certs/client-auth/chain.pem > certs/client-auth/fullchain.pem $ openssl pkcs12 \-export \-inkey certs/client-auth/privkey.pem \-in certs/client-auth/fullchain.pem \-name test \-out certs/infinispan/trustore_server.p12 $ keytool \-importkeystore \-srckeystore certs/infinispan/trustore_server.p12 \-srcstoretype pkcs12 \-destkeystore certs/infinispan/trustore_server.jks Other SSL Resources ========= Zero-Config clone 'n' run (tm) Repos: * [node.js HTTPS SSL Example](https://github.com/coolaj86/nodejs-ssl-example) * [node.js HTTPS SSL Self-Signed Certificate Example](https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example) * [node.js HTTPS SSL Trusted Peer Client Certificate Example](https://github.com/coolaj86/nodejs-ssl-trusted-peer-example) * [node.js HTTPS SSL module for Loopback](https://www.npmjs.com/package/loopback-ssl) * [SSL Root CAs](https://github.com/coolaj86/node-ssl-root-cas) Articles * [http://greengeckodesign.com/blog/2013/06/15/creating-an-ssl-certificate-for-node-dot-js/](Creating an SSL Certificate for node.js) * [http://www.hacksparrow.com/express-js-https-server-client-example.html/comment-page-1](HTTPS Trusted Peer Example) * [How to Create a CSR for HTTPS SSL (demo with name.com, node.js)](http://blog.coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/) * [coolaj86/Painless-Self-Signed-Certificates-in-node](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js)