Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to add custom certificate authority (CA) to nodejs

Tags:

node.js

npm

I'm using a CLI tool to build hybrid mobile apps which has a cool upload feature so I can test the app on a device without going through the app store (it's ionic-cli). However, in my company like so many other companies TLS requests are re-signed with the company's own custom CA certificate which I have on my machine in the keychain (OS X). However, nodejs does not use the keychain to get its list of CA's to trust. I don't control the ionic-cli app so I can't simply pass in a { ca: } property to the https module. I could also see this being a problem for any node app which I do not control. Is it possible to tell nodejs to trust a CA?

I wasn't sure if this belonged in Information Security or any of the other exchanges...

like image 435
Mike Haas Avatar asked Mar 26 '15 15:03

Mike Haas


People also ask

How do I add a certificate Authority?

Expand Policies > Windows Settings > Security Settings > Public Key Policies. Right-click Trusted Root Certification Authorities and select Import. Click Next and Browse to select the CA certificate you copied to the device. Click Finish and then OK.

How do you resolve certificate errors in a node js app with SSL calls?

The easiest solution to resolve these errors is to use the “rejectUnauthorized” option shown below. However, this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack.


2 Answers

Node.js 7.3.0 (and the LTS versions 6.10.0 and 4.8.0) added NODE_EXTRA_CA_CERTS environment variable for you to pass the CA certificate file. It will be safer than disabling certificate verification using NODE_TLS_REJECT_UNAUTHORIZED.

$ export NODE_EXTRA_CA_CERTS=[your CA certificate file path] 
like image 194
Cheng-Lin Tsao Avatar answered Sep 22 '22 06:09

Cheng-Lin Tsao


I'm aware of two npm modules that handle this problem when you control the app:

  1. https://github.com/capriza/syswide-cas (I'm the author of this one)
  2. https://github.com/coolaj86/node-ssl-root-cas

node-ssl-root-cas bundles it's own copies of nodes root CAs and also enables adding your own CAs to trust. It places the certs on the https global agent, so it will only be used for https module, not pure tls connections. Also, you will need extra steps if you use a custom Agent instead of the global agent.

syswide-cas loads certificates from pre-defined directories (such as /etc/ssl/certs) and uses node internal API to add them to the trusted list of CAs in conjunction to the bundled root CAs. There is no need to use the ca option since it makes the change globally which affects all later TLS calls automatically. It's also possible to add CAs from other directories/files if needed. It was verified to work with node 0.10, node 5 and node 6.

Since you do not control the app you can create a wrapper script to enable syswide-cas (or node-ssl-root-cas) and then require the ionic-cli script:

require('syswide-cas'); // this adds your custom CAs in addition to bundled CAs require('./path/to/real/script'); // this runs the actual script 
like image 20
fujifish Avatar answered Sep 22 '22 06:09

fujifish