{"id":18451475,"url":"https://github.com/trasherdk/nodejs-self-signed-certificate-example","last_synced_at":"2025-04-19T13:59:58.115Z","repository":{"id":103287322,"uuid":"585567599","full_name":"trasherdk/nodejs-self-signed-certificate-example","owner":"trasherdk","description":null,"archived":false,"fork":false,"pushed_at":"2023-01-05T13:59:37.000Z","size":19,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-16T14:07:23.216Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trasherdk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-05T13:59:25.000Z","updated_at":"2023-01-05T13:59:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"e6976501-1cf3-4f7c-ab52-dee14b4fc124","html_url":"https://github.com/trasherdk/nodejs-self-signed-certificate-example","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trasherdk%2Fnodejs-self-signed-certificate-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trasherdk%2Fnodejs-self-signed-certificate-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trasherdk%2Fnodejs-self-signed-certificate-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trasherdk%2Fnodejs-self-signed-certificate-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trasherdk","download_url":"https://codeload.github.com/trasherdk/nodejs-self-signed-certificate-example/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249494404,"owners_count":21281661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T07:28:45.910Z","updated_at":"2025-04-18T12:39:15.192Z","avatar_url":"https://github.com/trasherdk.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"nodejs-self-signed-certificate-example\n======================================\n\nThe end off all your self-signed certificate woes (in node.js at least)\n\nThis is an easy-as-git-clone example that will get you on your way without\nany `DEPTH_ZERO_SELF_SIGNED_CERT` or `SSL certificate problem: Invalid certificate chain` headaches.\n\nSee\n[the explanation](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js) for\nthe many details.\n\nAlso, you may be interested in [coolaj86/nodejs-ssl-trusted-peer-example](https://git.coolaj86.com/coolaj86/nodejs-ssl-trusted-peer-example).\n\nTest for yourself\n---\n\nAn example that works.\n\n```bash\nexample\n├── make-root-ca-and-certificates.sh\n├── package.json\n├── serve.js\n└── request-without-warnings.js\n```\n\n### Get the repo\n\n```bash\ngit clone https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example.git\npushd nodejs-self-signed-certificate-example\nnpm install\n```\n\n**For the super impatient**:\n\n```bash\nbash test.sh\n```\n\n### Create certificates for your FQDN\n\n`localhost.daplie.com` points to `localhost`, so it's ideal for your first test.\n\n```bash\nbash make-root-ca-and-certificates.sh 'localhost.daplie.com'\n```\n\n```\ncerts/\n├── ca\n│   ├── my-root-ca.crt.pem\n│   ├── my-root-ca.key.pem\n│   └── my-root-ca.srl\n├── client\n│   ├── chain.pem\n│   └── pubkey.pem\n├── server\n│   ├── cert.pem\n│   ├── chain.pem\n│   ├── fullchain.pem\n│   └── privkey.pem\n└── tmp\n └── csr.pem\n```\n\n### Run the server\n\n```bash\nnode ./serve.js 8043 \u0026\n# use `fg` and `ctrl+c` to kill\n```\n\n\n### Test in a client\n\nTest (warning free) in node.js\n\n```bash\nnode ./request-without-warnings.js 8043\n```\n\nTest (warning free) with cURL\n\n```bash\ncurl -v https://localhost.daplie.com:8043 \\\n --cacert certs/client/chain.pem\n```\n\nNote: on macOS curl's `--cacert` option may not work properly\nand so you may need to add the cert to the system keychain (described below)\n\nVisit in a web browser\n\n\u003chttps://localhost.daplie.com:8043\u003e\n\nTo get rid of the warnings, simply add the certificate in the `client` folder\nto your list of certificates by alt-clicking \"Open With =\u003e Keychain Access\"\non `chain.pem`\n\nYou do have to set `Always Trust` a few times\n[as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck.\n\nNow season to taste\n---\n\nYou can poke around in the files for generating the certificates,\nbut all you really have to do is replace `localhost.daplie.com`\nwith your very own domain name.\n\nBut where's the magic?\n====\n\nWho's the man behind the curtain you ask?\n\nWell... I lied. This demo doesn't use self-signed certificates\n(not in the server at least).\nIt uses a self-signed Root CA and a signed certificate.\n\nIt turns out that self-signed certificates were designed to be\nused by the Root Certificate Authorities, not by web servers.\n\nSo instead of trying to work through eleventeen brazillion errors\nabout self-signed certs, you can just create an authority and then\nadd the authority to your chain (viola, now it's trusted).\n\nClient Authentication\n====\n\nIn the example above, the server trusts the client without the need for the client to be authenticated.\nSo, a common enhancement to the example above would be to add client authentication.\nTo add client authentication, it's necessary to generate a client key and have it signed by the CA defined above.\nExecute `make-client-key-certificate.sh` to generate key and certificate.\nTo use generated key and certificate, `key`, `cert` and `passphrase` TLS options need to be added, e.g.:\n\n```\nvar ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'chain.pem'));\nvar key = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'privkey.pem'));\nvar passphrase = 'secret';\nvar cert = fs.readFileSync(path.join(__dirname, 'certs', 'client-auth', 'cert.pem'));\n\nvar options = {\n host: hostname\n, port: port\n, path: '/'\n, ca: ca\n, key: key\n, passphrase: passphrase\n, cert: cert\n};\n```\n\nGenerating Java Key Stores\n====\n\nIf the server component is written in Java, the server needs to be plugged with a Java KeyStore containing security certificates.\nIn the example above, the `fullchain.pem` file needs to be converted into a Java KeyStore file.\nTo create a Java KeyStore file, the JDK needs to be installed and have `keytool` utility in the path.\nTo do that, please follow these instructions:\n\n $ mkdir certs/java/server\n $ openssl pkcs12 \\\n -export \\\n -inkey certs/server/privkey.pem \\\n -in certs/server/fullchain.pem \\\n -name test \\\n -out certs/java/server/keystore_server.p12\n $ keytool \\\n -importkeystore \\\n -srckeystore certs/java/server/keystore_server.p12 \\\n -srcstoretype pkcs12 \\\n -destkeystore certs/java/server/keystore_server.jks\n\nTrust Store for Client Authentication\n----\n\nIf using client authentication, it is necessary for the server to trust to the client.\nTo do that, it's necessary for a trust store to be created that contains the client's public key.\nSuch a trust store can be created using these steps:\n\n $ rsync -a certs/ca/my-root-ca.crt.pem certs/client-auth/chain.pem\n $ cat certs/client-auth/cert.pem certs/client-auth/chain.pem \u003e certs/client-auth/fullchain.pem\n $ openssl pkcs12\n \\-export\n \\-inkey certs/client-auth/privkey.pem\n \\-in certs/client-auth/fullchain.pem\n \\-name test\n \\-out certs/infinispan/trustore_server.p12\n $ keytool\n \\-importkeystore\n \\-srckeystore certs/infinispan/trustore_server.p12\n \\-srcstoretype pkcs12\n \\-destkeystore certs/infinispan/trustore_server.jks\n\nOther SSL Resources\n=========\n\nZero-Config clone 'n' run (tm) Repos:\n\n\n* [node.js HTTPS SSL Example](https://github.com/coolaj86/nodejs-ssl-example)\n* [node.js HTTPS SSL Self-Signed Certificate Example](https://git.coolaj86.com/coolaj86/nodejs-self-signed-certificate-example)\n* [node.js HTTPS SSL Trusted Peer Client Certificate Example](https://github.com/coolaj86/nodejs-ssl-trusted-peer-example)\n* [node.js HTTPS SSL module for Loopback](https://www.npmjs.com/package/loopback-ssl)\n* [SSL Root CAs](https://github.com/coolaj86/node-ssl-root-cas)\n\nArticles\n\n* [http://greengeckodesign.com/blog/2013/06/15/creating-an-ssl-certificate-for-node-dot-js/](Creating an SSL Certificate for node.js)\n* [http://www.hacksparrow.com/express-js-https-server-client-example.html/comment-page-1](HTTPS Trusted Peer Example)\n* [How to Create a CSR for HTTPS SSL (demo with name.com, node.js)](http://blog.coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/)\n* [coolaj86/Painless-Self-Signed-Certificates-in-node](https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrasherdk%2Fnodejs-self-signed-certificate-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrasherdk%2Fnodejs-self-signed-certificate-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrasherdk%2Fnodejs-self-signed-certificate-example/lists"}