I`m trying to make client authorization with self-signed .
First, i`m creating certificates:
CA certificate
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Server certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
Client sertificate
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
Convert client certificate to p12
openssl pkcs12 -export -in client.crt -inkey client.key -name "My cert" -out client.p12
Open and install p12 certificate open client.p12
My node.js server (using express.js)
var express = require('express')
, routes = require('./routes')
, user = require('./routes/user')
, http = require('http')
, path = require('path')
, https = require('https')
, fs = require('fs');
var app = express();
app.configure(function () {
app.set('port', process.env.PORT || 3000);
app.set('views', __dirname + '/views');
app.set('view engine', 'ejs');
app.use(express.favicon());
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(app.router);
app.use(express.static(path.join(__dirname, 'public')));
});
app.configure('development', function () {
app.use(express.errorHandler());
});
app.get('/', function(req, res) {
console.log(req.client.authorized);
res.send(req.client.authorized)
});
var options = {
key:fs.readFileSync('ssl/server.key'),
cert:fs.readFileSync('ssl/server.crt'),
ca:[fs.readFileSync('ssl/ca.crt')],
requestCert:true,
rejectUnauthorized:false,
passphrase: 'passphrase',
agent: false
};
https.createServer(options,app).listen(app.get('port'), function () {
console.log("Express server listening on port " + app.get('port'));
});
When servers is running, i open https://localhost:3000
in Chrome, but authentication do not pass: req.client.authorized is false
Chrome message is
The identity of this website has not been verified.
• Server's certificate does not match the URL.
Where is my mistake?
SSL-enabled servers can be configured to require client authentication, or cryptographic validation by the server of the client's identity.
Server URL is matched against the Common Name part of the server certificate.
When you create the server certificate request, remember to put the host name of your server to the Common Name part. If you are just testing locally (using https://localhost
as an address) use localhost as Common Name.
With HTTPS support, use request.connection.verifyPeer()
and request.connection.getPeerCertificate()
to obtain the client's authentication details.
http://nodejs.org/api/http.html#http_request_connection
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With