* Add instructions on how a Java KeyStore can be generated from the keys and certificates provided in this example. This is useful for situations where you have a Node.js client talking to a Java server. * Added intructions on how client authentication could be added to the client side.
		
			
				
	
	
		
			214 lines
		
	
	
		
			6.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			214 lines
		
	
	
		
			6.7 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| nodejs-self-signed-certificate-example
 | |
| ======================================
 | |
| 
 | |
| The end off all your self-signed certificate woes (in node.js at least)
 | |
| 
 | |
| This is an easy-as-git-clone example that will get you on your way without
 | |
| any `DEPTH_ZERO_SELF_SIGNED_CERT` or `SSL certificate problem: Invalid certificate chain` headaches.
 | |
| 
 | |
| See
 | |
| [the explanation](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js) for
 | |
| the many details.
 | |
| 
 | |
| Also, you may be interested in [coolaj86/nodejs-ssl-trusted-peer-example](https://git.coolaj86.com/coolaj86/nodejs-ssl-trusted-peer-example).
 | |
| 
 | |
| Test for yourself
 | |
| ---
 | |
| 
 | |
| An example that works.
 | |
| 
 | |
| ```bash
 | |
| example
 | |
| ├── make-root-ca-and-certificates.sh
 | |
| ├── package.json
 | |
| ├── serve.js
 | |
| └── request-without-warnings.js
 | |
| ```
 | |
| 
 | |
| ### Get the repo
 | |
| 
 | |
| ```bash
 | |
| git clone https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example.git
 | |
| pushd nodejs-self-signed-certificate-example
 | |
| npm install
 | |
| ```
 | |
| 
 | |
| **For the super impatient**:
 | |
| 
 | |
| ```bash
 | |
| bash test.sh
 | |
| ```
 | |
| 
 | |
| ### Create certificates for your FQDN
 | |
| 
 | |
| `localhost.daplie.com` points to `localhost`, so it's ideal for your first test.
 | |
| 
 | |
| ```bash
 | |
| bash make-root-ca-and-certificates.sh 'localhost.daplie.com'
 | |
| ```
 | |
| 
 | |
| ```
 | |
| certs/
 | |
| ├── ca
 | |
| │   ├── my-root-ca.crt.pem
 | |
| │   ├── my-root-ca.key.pem
 | |
| │   └── my-root-ca.srl
 | |
| ├── client
 | |
| │   ├── chain.pem
 | |
| │   └── pubkey.pem
 | |
| ├── server
 | |
| │   ├── cert.pem
 | |
| │   ├── chain.pem
 | |
| │   ├── fullchain.pem
 | |
| │   └── privkey.pem
 | |
| └── tmp
 | |
|     └── csr.pem
 | |
| ```
 | |
| 
 | |
| ### Run the server
 | |
| 
 | |
| ```bash
 | |
| node ./serve.js 8043 &
 | |
| # use `fg` and `ctrl+c` to kill
 | |
| ```
 | |
| 
 | |
| 
 | |
| ### Test in a client
 | |
| 
 | |
| Test (warning free) in node.js
 | |
| 
 | |
| ```bash
 | |
| node ./request-without-warnings.js 8043
 | |
| ```
 | |
| 
 | |
| Test (warning free) with cURL
 | |
| 
 | |
| ```bash
 | |
| curl -v https://localhost.daplie.com:8043 \
 | |
|   --cacert certs/client/chain.pem
 | |
| ```
 | |
| 
 | |
| Note: on macOS curl's `--cacert` option may not work properly
 | |
| and so you may need to add the cert to the system keychain (described below)
 | |
| 
 | |
| Visit in a web browser
 | |
| 
 | |
| <https://localhost.daplie.com:8043>
 | |
| 
 | |
| To get rid of the warnings, simply add the certificate in the `client` folder
 | |
| to your list of certificates by alt-clicking "Open With => Keychain Access"
 | |
| on `chain.pem`
 | |
| 
 | |
| You do have to set `Always Trust` a few times
 | |
| [as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck.
 | |
| 
 | |
| Now season to taste
 | |
| ---
 | |
| 
 | |
| You can poke around in the files for generating the certificates,
 | |
| but all you really have to do is replace `localhost.daplie.com`
 | |
| with your very own domain name.
 | |
| 
 | |
| But where's the magic?
 | |
| ====
 | |
| 
 | |
| Who's the man behind the curtain you ask?
 | |
| 
 | |
| Well... I lied. This demo doesn't use self-signed certificates
 | |
| (not in the server at least).
 | |
| It uses a self-signed Root CA and a signed certificate.
 | |
| 
 | |
| It turns out that self-signed certificates were designed to be
 | |
| used by the Root Certificate Authorities, not by web servers.
 | |
| 
 | |
| So instead of trying to work through eleventeen brazillion errors
 | |
| about self-signed certs, you can just create an authority and then
 | |
| add the authority to your chain (viola, now it's trusted).
 | |
| 
 | |
| Client Authentication
 | |
| ====
 | |
| 
 | |
| In the example above, the server trusts the client without the need for the client to be authenticated.
 | |
| So, a common enhancement to the example above would be to add client authentication.
 | |
| To add client authentication, it's necessary to generate a client key and have it signed by the CA defined above.
 | |
| Execute `make-client-key-certificate.sh` to generate key and certificate.
 | |
| To use generated key and certificate, `key`, `cert` and `passphrase` TLS options need to be added, e.g.:
 | |
| 
 | |
| ```
 | |
| var ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'chain.pem'));
 | |
| var key = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'privkey.pem'));
 | |
| var passphrase = 'secret';
 | |
| var cert = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'cert.pem'));
 | |
| 
 | |
| var options = {
 | |
|   host: hostname
 | |
| , port: port
 | |
| , path: '/'
 | |
| , ca: ca
 | |
| , key: key
 | |
| , passphrase: passphrase
 | |
| , cert: cert
 | |
| };
 | |
| ```
 | |
| 
 | |
| Generating Java Key Stores
 | |
| ====
 | |
| 
 | |
| If the server component is written in Java, the server needs to be plugged with a Java KeyStore containing security certificates.
 | |
| In the example above, the `fullchain.pem` file needs to be converted into a Java KeyStore file.
 | |
| To create a Java KeyStore file, the JDK needs to be installed and have `keytool` utility in the path.
 | |
| To do that, please follow these instructions:
 | |
| 
 | |
|     $ mkdir certs/java/server
 | |
|     $ openssl pkcs12 \
 | |
|       -export \
 | |
|       -inkey certs/server/privkey.pem \
 | |
|       -in certs/server/fullchain.pem \
 | |
|       -name test \
 | |
|       -out certs/java/server/keystore_server.p12
 | |
|     $ keytool \
 | |
|       -importkeystore \
 | |
|       -srckeystore certs/java/server/keystore_server.p12 \
 | |
|       -srcstoretype pkcs12 \
 | |
|       -destkeystore certs/java/server/keystore_server.jks
 | |
| 
 | |
| Trust Store for Client Authentication
 | |
| ----
 | |
| 
 | |
| If using client authentication, it is necessary for the server to trust to the client.
 | |
| To do that, it's necessary for a trust store to be created that contains the client's public key.
 | |
| Such a trust store can be created using these steps:
 | |
| 
 | |
|     $ rsync -a certs/ca/my-root-ca.crt.pem certs/client-auth/chain.pem
 | |
|     $ cat certs/client-auth/cert.pem certs/client-auth/chain.pem > certs/client-auth/fullchain.pem
 | |
|     $ openssl pkcs12
 | |
|       \-export
 | |
|       \-inkey certs/client-auth/privkey.pem
 | |
|       \-in certs/client-auth/fullchain.pem
 | |
|       \-name test
 | |
|       \-out certs/infinispan/trustore_server.p12
 | |
|     $ keytool
 | |
|       \-importkeystore
 | |
|       \-srckeystore certs/infinispan/trustore_server.p12
 | |
|       \-srcstoretype pkcs12
 | |
|       \-destkeystore certs/infinispan/trustore_server.jks
 | |
| 
 | |
| Other SSL Resources
 | |
| =========
 | |
| 
 | |
| Zero-Config clone 'n' run (tm) Repos:
 | |
| 
 | |
| 
 | |
| * [node.js HTTPS SSL Example](https://github.com/coolaj86/nodejs-ssl-example)
 | |
| * [node.js HTTPS SSL Self-Signed Certificate Example](https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example)
 | |
| * [node.js HTTPS SSL Trusted Peer Client Certificate Example](https://github.com/coolaj86/nodejs-ssl-trusted-peer-example)
 | |
| * [node.js HTTPS SSL module for Loopback](https://www.npmjs.com/package/loopback-ssl)
 | |
| * [SSL Root CAs](https://github.com/coolaj86/node-ssl-root-cas)
 | |
| 
 | |
| Articles
 | |
| 
 | |
| * [http://greengeckodesign.com/blog/2013/06/15/creating-an-ssl-certificate-for-node-dot-js/](Creating an SSL Certificate for node.js)
 | |
| * [http://www.hacksparrow.com/express-js-https-server-client-example.html/comment-page-1](HTTPS Trusted Peer Example)
 | |
| * [How to Create a CSR for HTTPS SSL (demo with name.com, node.js)](http://blog.coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/)
 | |
| * [coolaj86/Painless-Self-Signed-Certificates-in-node](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js)
 |