I am making an https request (using the request module) to a server with a self-signed cert. It throws an error if I don't specify strictSSL: false
as an option.
This cert is already trusted on my OS (OSX), such that Chrome doesn't throw an error while accessing a webpage from that server.
I understand different applications/environments may have their own certificate stores. Firefox has its own, and the JVM, for example, is usually at $JAVA_HOME/jre/lib/security/cacerts (on OSX).
My question is, where does node look for its trusted CA's? Is there such a concept? I'd like to add my self-signed cert there for development purposes.
This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root. This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.
Security certificates are used for a range of purposes. Among these include identity verification, file encryption, Web authentication, email security and software signature checking. Every certificate on your business computer is stored in a centralized location called the Certificate Manager.
When you add Certificate Services on a Windows server and configure a CA, a certificate database is created. By default, the database is contained in the %SystemRoot%\System32\Certlog folder, and the name is based on the CA name with an . edb extension.
Open Internet Explorer. From the Tools menu, choose Internet Options. In the Internet Options dialog box, click the Content tab and then the Certificates button to display the Certificates dialog box.
It seems that while there is no store, but there is a default list of CA's built into the source.
My search ultimately led me to the closest thing to a store, this file of CA's that node.js supports:
https://github.com/joyent/node/blob/master/src/node_root_certs.h
Thus, while it is true that it doesn't do a lookup on the system hosted CA's and that there is no "store" per se, there is a default list of CA's that it accepts.
As mentioned by @Joe and @damphat, you can add your own with the Agent.options.ca property, unfortunately that workaround isn't practical in my case.
There is not a store. You can pass a ca
option to the https request to tell it what CAs you do trust.
From the docs:
The following options from
tls.connect()
can also be specified. However, aglobalAgent
silently ignores these.
ca
: An authority certificate or array of authority certificates to check the remote host against.In order to specify these options, use a custom
Agent
.var options = { ... ca: CA or [array of CAs] ... }; options.agent = new https.Agent(options); var req = https.request(options, function(res) {
Ref: http://nodejs.org/api/https.html#https_https_request_options_callback
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With