Saturday, May 7, 2016

node certificate store, does node read only from hard coded list of certificates?

By Hường Hana 5:30 AM , , , 1 comment

After struggling for a while, is there any way to add new certificate to the list of certificates node trusts?

It seems that node will trust only to certificates stored in hard coded list of certificates: https://github.com/nodejs/node/blob/master/src/node_root_certs.h

So for example, node app should communicate with https://foo-bar-baz.com that use self signed certificate, causing request to that domain to return something like:
[RequestError: Error: certificate has expired]

Apparently how this can be fixed in java is adding https://foo-bar-baz.comcertificate to $JAVA_HOME/lib/security/cacerts.

Does node only read certificates from mentioned hard coded list? or it can read also from some OS certificate store? If just from hard coded list:

  1. Why? What can be the reason to implement it in that way?
  2. If some certificate gets forged, only what one can do is to wait next node version?
  3. If one want to add self-signed certificate, impossible?

(One could edit probably hard coded list to add/remove certificate, but i wouldn't feel comfortable with changing node source, also from similar question Where is node's certificate store? one could add certificate while doing request but it is not in scope of this question. Similar question is posted before 2 years, and from what i have investigated situation is the same today)

1 Answers

Answers 1

You are calling them hard coded "list of certificates" ... the list is Certificate Granting Authorities, not certificates ... current behaviour is intentional for good reasons ... it would be very bad if a web server (nodejs) rendered a Green Padlock for unvalidated toy self signed certs

I suggest you use a better technique to synthesize your certificates which will give you valid certs which enable that Green Padlock ...

Run through this tutorial to get valid certs (free) for your domain which are production ready ... also gr8 for kicking tyres : https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/

If You Enjoyed This, Take 5 Seconds To Share It

1 comment:

  1. BloggerOctober 6, 2016 at 10:39 AM

    Did you know that that you can make cash by locking premium sections of your blog or website?
    To start you need to open an account with Mgcash and embed their Content Locking widget.

    ReplyDelete