{"id":21638360,"url":"https://github.com/julie-ng/nodejs-certificate-auth","last_synced_at":"2025-06-16T22:05:13.150Z","repository":{"id":40607389,"uuid":"148888021","full_name":"julie-ng/nodejs-certificate-auth","owner":"julie-ng","description":"Demo for Client Certificate Authentication with Node.js Tutorial","archived":false,"fork":false,"pushed_at":"2023-05-01T02:20:30.000Z","size":237,"stargazers_count":117,"open_issues_count":3,"forks_count":31,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-11T17:00:03.209Z","etag":null,"topics":["authentication","client-cert-authentication","demo","mtls","mutual-tls","openssl","tutorial"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/julie-ng.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-09-15T09:26:51.000Z","updated_at":"2025-03-21T09:46:35.000Z","dependencies_parsed_at":"2025-04-11T16:52:57.251Z","dependency_job_id":"8b29a089-d4bc-46c2-8a9c-b9e049b2589a","html_url":"https://github.com/julie-ng/nodejs-certificate-auth","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/julie-ng/nodejs-certificate-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/julie-ng%2Fnodejs-certificate-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/julie-ng%2Fnodejs-certificate-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/julie-ng%2Fnodejs-certificate-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/julie-ng%2Fnodejs-certificate-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/julie-ng","download_url":"https://codeload.github.com/julie-ng/nodejs-certificate-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/julie-ng%2Fnodejs-certificate-auth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260249957,"owners_count":22980763,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","client-cert-authentication","demo","mtls","mutual-tls","openssl","tutorial"],"created_at":"2024-11-25T04:09:20.957Z","updated_at":"2025-06-16T22:05:13.129Z","avatar_url":"https://github.com/julie-ng.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Client Certificate Authentication (mTLS) with Node.js\n\nThis is demo on how to do client authentication with certificates, **mTLS or mutual TLS** - as opposed to username and passwords with out of the box (OOTB) Node.js.\n\nThis demo has a server with two clients:\n\n- \"Alice\" who has a server-signed trusted certificate\n- \"Bob\" who has an invalid self-signed certificate\n\n\u003cimg src=\"./diagram-certificates.svg\" width=\"400\" alt=\"Diagram\"\u003e\n\nBased on the following tutorials:\n\n- [Authentication using HTTPS client certificates](https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326)  \n\tAuthor: Andras Sevcsik-Zajácz, Web technology enthusiast\n\n- [HTTPS Authorized Certs with Node.js](https://engineering.circle.com/https-authorized-certs-with-node-js-315e548354a2)  \n\tAuthor: Anders Brownworth, Rethinking money @CirclePay | Co-taught the Blockchain class at MIT\n\n# Demo: How to Use\n\nFirst install required dependencies with `npm install`. Then the demo works as follows:\n\n## Step 1 - Start Server\n\nWe start a sever that by default only accepts requests authenticated by client certificates\n\n```\nnpm run server\n```\n\nYou can test this is working by opening [https://localhost:4433/](https://localhost:4433/) in your browser. \n\n## Step 2 - Test Valid Client (Alice)\n\n**Alice** has a valid certificate issued by server, so she can talk to the server:\n\n```\n$ npm run valid-client\n\n\u003e node ./client/valid-app.js\n\nHello Alice, your certificate was issued by localhost!\n```\n\n## Step 3 - Test Invalid Client (Bob)\n\n**Bob** has a self-issued certificate, which is rejected by the server:\n\n```\n$ npm run invalid-client\n\n\u003e node ./client/invalid-app.js\n\nSorry Bob, certificates from Bob are not welcome here.\n```\n\n\n# Reference - Introduction to Creating Certificates\n\n## Server Certificates\n\n- CN: localhost\n- O: Client Certificate Demo\n\n```bash\nopenssl req \\\n\t-x509 \\\n\t-newkey rsa:4096 \\\n\t-keyout server/server_key.pem \\\n\t-out server/server_cert.pem \\\n\t-nodes \\\n\t-days 365 \\\n\t-subj \"/CN=localhost/O=Client\\ Certificate\\ Demo\"\n```\n\nThis command shortens following _three_ commands:\n\n- `openssl genrsa` \n- `openssl req`\n- `openssl x509`\n\nwhich generates _two_ files:\n\n- `server_cert.pem`\n- `server_key.pem`\n\n## Create Client Certificates\n\nFor demo, two users are created:\n\n- Alice, who has a valid certificate, signed by the server\n- Bob, who creates own certificate, self-signed\n\n\n### Create Alice's Certificate (server-signed and valid)\n\nWe create a certificate for Alice.\n\n- sign alice's Certificate Signing Request (CSR)...\n- with our server key via `-CA server/server_cert.pem` and\n\t`-CAkey server/server_key.pem` flags\n- and save results as certificate\n\n```bash\n# generate server-signed (valid) certifcate\nopenssl req \\\n\t-newkey rsa:4096 \\\n\t-keyout client/alice_key.pem \\\n\t-out client/alice_csr.pem \\\n\t-nodes \\\n\t-days 365 \\\n\t-subj \"/CN=Alice\"\n\n# sign with server_cert.pem\nopenssl x509 \\\n\t-req \\\n\t-in client/alice_csr.pem \\\n\t-CA server/server_cert.pem \\\n\t-CAkey server/server_key.pem \\\n\t-out client/alice_cert.pem \\\n\t-set_serial 01 \\\n\t-days 365\n```\n\n### Create Bob's Certificate (self-signed and invalid)\n\nBob creates own without our server key.\n\n```bash\n# generate self-signed (invalid) certifcate\nopenssl req \\\n\t-newkey rsa:4096 \\\n\t-keyout client/bob_key.pem \\\n\t-out client/bob_csr.pem \\\n\t-nodes \\\n\t-days 365 \\\n\t-subj \"/CN=Bob\"\n\n# sign with bob_csr.pem\nopenssl x509 \\\n\t-req \\\n\t-in client/bob_csr.pem \\\n\t-signkey client/bob_key.pem \\\n\t-out client/bob_cert.pem \\\n\t-days 365\n```\n\n## Notes\n\n- [Let's Encrypt](https://letsencrypt.org/) is a \"free, automated, and open\" Certificate Authority\n- **PEM**: Privacy Enhanced Mail is a Base64 encoded DER certificate\n\n### OpenSSL commands\n\n| Command | Documentation | Description |\n|:--|:--|:--|\n| `genrsa` | [Docs](https://www.openssl.org/docs/man1.0.2/apps/genrsa.html) |  Generates an RSA private key |\n| **`req`** | [Docs](https://www.openssl.org/docs/man1.0.2/apps/req.html) |  Primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example. |\n| `x509` | [Docs](https://www.openssl.org/docs/man1.0.2/apps/x509.html) | The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a \"mini CA\" or edit certificate trust settings. |\n\n[View all `openssl` commands \u0026rarr;](https://www.openssl.org/docs/man1.0.2/apps/openssl.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjulie-ng%2Fnodejs-certificate-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjulie-ng%2Fnodejs-certificate-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjulie-ng%2Fnodejs-certificate-auth/lists"}