From a06c7e94f3febcae02ebe269a990f7589d08e5cc Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 13 Jul 2015 13:47:28 -0600 Subject: [PATCH] note intermediate vs root issue --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 6956a06..7deffcd 100644 --- a/README.md +++ b/README.md @@ -4,20 +4,20 @@ IMPORTANT: Try this first 2015-Aug-22: I just discovered that the most common reason you would have the kind of problems this module solves is actually due to failing to properly bundle the Intermediate CAs with the server certificate. ```js -// Consider this: +// INCORRECT (but might still work) var server https.createServer({ key: fs.readFileSync('privkey.pem', 'ascii') -, cert: fs.readFileSync('cert.pem', 'ascii') +, cert: fs.readFileSync('cert.pem', 'ascii') // a PEM containing ONLY the SERVER certificate }); ``` Should probably be ```js -// Consider this: +// CORRECT (should always work) var server https.createServer({ key: fs.readFileSync('privkey.pem', 'ascii') -, cert: fs.readFileSync('bundle.pem', 'ascii') +, cert: fs.readFileSync('bundle.pem', 'ascii') // a PEM containing the SERVER and ALL INTERMEDIATES }); ``` @@ -31,12 +31,12 @@ cat \ > bundle.pem ``` -However, if you **need to add a non-standard Root CA**, then this is still the right module for you. +Note that you **should not** include the `root.pem` in the bundle and that the bundle should be constructed with the least authoritative certificate first - your server's certificate, followed by the furthest removed intermediate, and then the next closest to the root. Also note that in the case of cross-signed certificates there may be more than one intermediate at equal distances, in which case either in that tier may come first. SSL Root CAs ================= -The module you need to solve node's SSL woes when including a custom certificate. +The module you need to solve node's SSL woes when including a custom certificate. Particularly, if you need to add a **non-standard Root CA**, then this is the right module for you. Let's say you're trying to connect to a site with a cheap-o SSL cert - such as RapidSSL certificate from [name.com](http://name.com) (the **best** place to get your domains, btw) -