| 
									
										
										
										
											2014-07-14 20:50:17 -06:00
										 |  |  | nodejs-self-signed-certificate-example | 
					
						
							|  |  |  | ====================================== | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | The end off all your self-signed certificate woes (in node.js at least) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | This is an easy-as-git-clone example that will get you on your way without | 
					
						
							|  |  |  | any `DEPTH_ZERO_SELF_SIGNED_CERT` or `SSL certificate problem: Invalid certificate chain` headaches. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-27 18:22:23 -06:00
										 |  |  | See | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | [the explanation](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js) for | 
					
						
							|  |  |  | the many details. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-10-18 21:38:27 -06:00
										 |  |  | Also, you may be interested in [coolaj86/nodejs-ssl-trusted-peer-example](https://git.coolaj86.com/coolaj86/nodejs-ssl-trusted-peer-example). | 
					
						
							| 
									
										
										
										
											2014-09-20 12:11:19 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | Test for yourself | 
					
						
							|  |  |  | --- | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | An example that works. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							|  |  |  | example | 
					
						
							|  |  |  | ├── make-root-ca-and-certificates.sh | 
					
						
							| 
									
										
										
										
											2014-07-15 04:11:58 +00:00
										 |  |  | ├── package.json | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | ├── serve.js | 
					
						
							| 
									
										
										
										
											2014-07-15 04:11:58 +00:00
										 |  |  | └── request-without-warnings.js | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | ``` | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | ### Get the repo
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							| 
									
										
										
										
											2018-10-18 21:38:27 -06:00
										 |  |  | git clone https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example.git | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | pushd nodejs-self-signed-certificate-example | 
					
						
							|  |  |  | npm install | 
					
						
							|  |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | **For the super impatient**: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							|  |  |  | bash test.sh | 
					
						
							|  |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | ### Create certificates for your FQDN
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-27 18:10:00 -06:00
										 |  |  | `localhost.daplie.com` points to `localhost`, so it's ideal for your first test. | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							| 
									
										
										
										
											2016-06-27 18:10:00 -06:00
										 |  |  | bash make-root-ca-and-certificates.sh 'localhost.daplie.com' | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 04:11:58 +00:00
										 |  |  | ``` | 
					
						
							| 
									
										
										
										
											2014-07-15 22:54:02 -06:00
										 |  |  | certs/ | 
					
						
							|  |  |  | ├── ca | 
					
						
							|  |  |  | │   ├── my-root-ca.crt.pem | 
					
						
							|  |  |  | │   ├── my-root-ca.key.pem | 
					
						
							|  |  |  | │   └── my-root-ca.srl | 
					
						
							|  |  |  | ├── client | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  | │   ├── chain.pem | 
					
						
							| 
									
										
										
										
											2016-06-27 18:11:27 -06:00
										 |  |  | │   └── pubkey.pem | 
					
						
							| 
									
										
										
										
											2014-07-15 04:11:58 +00:00
										 |  |  | ├── server | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  | │   ├── cert.pem | 
					
						
							|  |  |  | │   ├── chain.pem | 
					
						
							|  |  |  | │   ├── fullchain.pem | 
					
						
							|  |  |  | │   └── privkey.pem | 
					
						
							| 
									
										
										
										
											2014-07-15 22:54:02 -06:00
										 |  |  | └── tmp | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  |     └── csr.pem | 
					
						
							| 
									
										
										
										
											2014-07-15 04:11:58 +00:00
										 |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | ### Run the server
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | node ./serve.js 8043 & | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | # use `fg` and `ctrl+c` to kill
 | 
					
						
							|  |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ### Test in a client
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Test (warning free) in node.js | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							| 
									
										
										
										
											2014-07-15 03:38:33 +00:00
										 |  |  | node ./request-without-warnings.js 8043 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Test (warning free) with cURL | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ```bash | 
					
						
							| 
									
										
										
										
											2016-06-27 18:22:23 -06:00
										 |  |  | curl -v https://localhost.daplie.com:8043 \ | 
					
						
							|  |  |  |   --cacert certs/client/chain.pem | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-27 18:22:23 -06:00
										 |  |  | Note: on macOS curl's `--cacert` option may not work properly | 
					
						
							|  |  |  | and so you may need to add the cert to the system keychain (described below) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:59:58 +00:00
										 |  |  | Visit in a web browser | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-27 18:22:23 -06:00
										 |  |  | <https://localhost.daplie.com:8043> | 
					
						
							| 
									
										
										
										
											2014-07-15 03:59:58 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | To get rid of the warnings, simply add the certificate in the `client` folder | 
					
						
							|  |  |  | to your list of certificates by alt-clicking "Open With => Keychain Access" | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  | on `chain.pem` | 
					
						
							| 
									
										
										
										
											2014-07-15 03:59:58 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | You do have to set `Always Trust` a few times | 
					
						
							|  |  |  | [as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | Now season to taste | 
					
						
							|  |  |  | --- | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-27 18:22:23 -06:00
										 |  |  | You can poke around in the files for generating the certificates, | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  | but all you really have to do is replace `localhost.daplie.com` | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | with your very own domain name. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | But where's the magic? | 
					
						
							|  |  |  | ==== | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Who's the man behind the curtain you ask? | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-15 04:09:41 +00:00
										 |  |  | Well... I lied. This demo doesn't use self-signed certificates | 
					
						
							|  |  |  | (not in the server at least). | 
					
						
							| 
									
										
										
										
											2014-07-15 03:20:49 +00:00
										 |  |  | It uses a self-signed Root CA and a signed certificate. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | It turns out that self-signed certificates were designed to be | 
					
						
							|  |  |  | used by the Root Certificate Authorities, not by web servers. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | So instead of trying to work through eleventeen brazillion errors | 
					
						
							|  |  |  | about self-signed certs, you can just create an authority and then | 
					
						
							|  |  |  | add the authority to your chain (viola, now it's trusted). | 
					
						
							| 
									
										
										
										
											2015-01-27 21:30:39 -07:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-11-15 14:03:10 +01:00
										 |  |  | Client Authentication | 
					
						
							|  |  |  | ==== | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | In the example above, the server trusts the client without the need for the client to be authenticated. | 
					
						
							|  |  |  | So, a common enhancement to the example above would be to add client authentication. | 
					
						
							|  |  |  | To add client authentication, it's necessary to generate a client key and have it signed by the CA defined above. | 
					
						
							|  |  |  | Execute `make-client-key-certificate.sh` to generate key and certificate. | 
					
						
							|  |  |  | To use generated key and certificate, `key`, `cert` and `passphrase` TLS options need to be added, e.g.: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | ``` | 
					
						
							|  |  |  | var ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'chain.pem')); | 
					
						
							|  |  |  | var key = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'privkey.pem')); | 
					
						
							|  |  |  | var passphrase = 'secret'; | 
					
						
							|  |  |  | var cert = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'cert.pem')); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | var options = { | 
					
						
							|  |  |  |   host: hostname | 
					
						
							|  |  |  | , port: port | 
					
						
							|  |  |  | , path: '/' | 
					
						
							|  |  |  | , ca: ca | 
					
						
							|  |  |  | , key: key | 
					
						
							|  |  |  | , passphrase: passphrase | 
					
						
							|  |  |  | , cert: cert | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | ``` | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Generating Java Key Stores | 
					
						
							|  |  |  | ==== | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | If the server component is written in Java, the server needs to be plugged with a Java KeyStore containing security certificates. | 
					
						
							|  |  |  | In the example above, the `fullchain.pem` file needs to be converted into a Java KeyStore file. | 
					
						
							|  |  |  | To create a Java KeyStore file, the JDK needs to be installed and have `keytool` utility in the path. | 
					
						
							|  |  |  | To do that, please follow these instructions: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     $ mkdir certs/java/server | 
					
						
							|  |  |  |     $ openssl pkcs12 \ | 
					
						
							|  |  |  |       -export \ | 
					
						
							|  |  |  |       -inkey certs/server/privkey.pem \ | 
					
						
							|  |  |  |       -in certs/server/fullchain.pem \ | 
					
						
							|  |  |  |       -name test \ | 
					
						
							|  |  |  |       -out certs/java/server/keystore_server.p12 | 
					
						
							|  |  |  |     $ keytool \ | 
					
						
							|  |  |  |       -importkeystore \ | 
					
						
							|  |  |  |       -srckeystore certs/java/server/keystore_server.p12 \ | 
					
						
							|  |  |  |       -srcstoretype pkcs12 \ | 
					
						
							|  |  |  |       -destkeystore certs/java/server/keystore_server.jks | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Trust Store for Client Authentication | 
					
						
							|  |  |  | ---- | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | If using client authentication, it is necessary for the server to trust to the client. | 
					
						
							|  |  |  | To do that, it's necessary for a trust store to be created that contains the client's public key. | 
					
						
							|  |  |  | Such a trust store can be created using these steps: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     $ rsync -a certs/ca/my-root-ca.crt.pem certs/client-auth/chain.pem | 
					
						
							|  |  |  |     $ cat certs/client-auth/cert.pem certs/client-auth/chain.pem > certs/client-auth/fullchain.pem | 
					
						
							|  |  |  |     $ openssl pkcs12 | 
					
						
							|  |  |  |       \-export | 
					
						
							|  |  |  |       \-inkey certs/client-auth/privkey.pem | 
					
						
							|  |  |  |       \-in certs/client-auth/fullchain.pem | 
					
						
							|  |  |  |       \-name test | 
					
						
							|  |  |  |       \-out certs/infinispan/trustore_server.p12 | 
					
						
							|  |  |  |     $ keytool | 
					
						
							|  |  |  |       \-importkeystore | 
					
						
							|  |  |  |       \-srckeystore certs/infinispan/trustore_server.p12 | 
					
						
							|  |  |  |       \-srcstoretype pkcs12 | 
					
						
							|  |  |  |       \-destkeystore certs/infinispan/trustore_server.jks | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-01-27 21:30:39 -07:00
										 |  |  | Other SSL Resources | 
					
						
							|  |  |  | ========= | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Zero-Config clone 'n' run (tm) Repos: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  | * [node.js HTTPS SSL Example](https://github.com/coolaj86/nodejs-ssl-example) | 
					
						
							| 
									
										
										
										
											2018-10-18 21:38:27 -06:00
										 |  |  | * [node.js HTTPS SSL Self-Signed Certificate Example](https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example) | 
					
						
							| 
									
										
										
										
											2016-06-27 18:07:02 -06:00
										 |  |  | * [node.js HTTPS SSL Trusted Peer Client Certificate Example](https://github.com/coolaj86/nodejs-ssl-trusted-peer-example) | 
					
						
							| 
									
										
										
										
											2018-10-18 21:42:27 -06:00
										 |  |  | * [node.js HTTPS SSL module for Loopback](https://www.npmjs.com/package/loopback-ssl) | 
					
						
							| 
									
										
										
										
											2015-01-27 21:30:39 -07:00
										 |  |  | * [SSL Root CAs](https://github.com/coolaj86/node-ssl-root-cas) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | Articles | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | * [http://greengeckodesign.com/blog/2013/06/15/creating-an-ssl-certificate-for-node-dot-js/](Creating an SSL Certificate for node.js) | 
					
						
							|  |  |  | * [http://www.hacksparrow.com/express-js-https-server-client-example.html/comment-page-1](HTTPS Trusted Peer Example) | 
					
						
							|  |  |  | * [How to Create a CSR for HTTPS SSL (demo with name.com, node.js)](http://blog.coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/) | 
					
						
							|  |  |  | * [coolaj86/Painless-Self-Signed-Certificates-in-node](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js) |