The end off all your self-sign certificate woes (in node.js at least)
Je kunt niet meer dan 25 onderwerpen selecteren Onderwerpen moeten beginnen met een letter of nummer, kunnen streepjes bevatten ('-') en kunnen maximaal 35 tekens lang zijn.
 
 
AJ ONeal 2141fae373 add fullchain.pem 8 jaren geleden
.gitignore move keys and certs to ./certs and update paths 10 jaren geleden
LICENSE Initial commit 10 jaren geleden
README.md use letsencrypt naming convention, and more recent localhost.daplie.com 8 jaren geleden
make-root-ca-and-certificates.sh add fullchain.pem 8 jaren geleden
package.json http -> https 8 jaren geleden
request-without-warnings.js use letsencrypt naming convention, and more recent localhost.daplie.com 8 jaren geleden
serve.js use letsencrypt naming convention, and more recent localhost.daplie.com 8 jaren geleden
test.sh use letsencrypt naming convention, and more recent localhost.daplie.com 8 jaren geleden

README.md

nodejs-self-signed-certificate-example

The end off all your self-signed certificate woes (in node.js at least)

This is an easy-as-git-clone example that will get you on your way without any DEPTH_ZERO_SELF_SIGNED_CERT or SSL certificate problem: Invalid certificate chain headaches.

See the explanation for the many details.

Also, you may be interested in coolaj86/nodejs-ssl-trusted-peer-example.

Test for yourself

An example that works.

example
├── make-root-ca-and-certificates.sh
├── package.json
├── serve.js
└── request-without-warnings.js

Get the repo

git clone git@github.com:coolaj86/nodejs-self-signed-certificate-example.git
pushd nodejs-self-signed-certificate-example
npm install

For the super impatient:

bash test.sh

Create certificates for your FQDN

local.ldsconnect.org points to localhost, so it's ideal for your first test.

bash make-root-ca-and-certificates.sh 'local.ldsconnect.org'
certs/
├── ca
│   ├── my-root-ca.crt.pem
│   ├── my-root-ca.key.pem
│   └── my-root-ca.srl
├── client
│   ├── chain.pem
│   └── my-server.pub
├── server
│   ├── my-root-ca.crt.pem
│   ├── cert.pem
│   ├── chain.pem
│   ├── fullchain.pem
│   └── privkey.pem
└── tmp
    └── csr.pem

Run the server

node ./serve.js 8043 &
# use `fg` and `ctrl+c` to kill

Test in a client

Test (warning free) in node.js

node ./request-without-warnings.js 8043

Test (warning free) with cURL

curl -v https://localhost.daplie.com \
  --cacert client/chain.pem

Visit in a web browser

https://localhost.daplie.com

To get rid of the warnings, simply add the certificate in the client folder to your list of certificates by alt-clicking "Open With => Keychain Access" on chain.pem

You do have to set Always Trust a few times as explained by Rob Peck.

Now season to taste

You can poke around in the files for generating the certificates, but all you really have to do is replace localhost.daplie.com with your very own domain name.

But where's the magic?

Who's the man behind the curtain you ask?

Well... I lied. This demo doesn't use self-signed certificates (not in the server at least). It uses a self-signed Root CA and a signed certificate.

It turns out that self-signed certificates were designed to be used by the Root Certificate Authorities, not by web servers.

So instead of trying to work through eleventeen brazillion errors about self-signed certs, you can just create an authority and then add the authority to your chain (viola, now it's trusted).

Other SSL Resources

Zero-Config clone 'n' run (tm) Repos:

Articles