Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where is node's certificate store?

I am making an https request (using the request module) to a server with a self-signed cert. It throws an error if I don't specify strictSSL: false as an option.

This cert is already trusted on my OS (OSX), such that Chrome doesn't throw an error while accessing a webpage from that server.

I understand different applications/environments may have their own certificate stores. Firefox has its own, and the JVM, for example, is usually at $JAVA_HOME/jre/lib/security/cacerts (on OSX).

My question is, where does node look for its trusted CA's? Is there such a concept? I'd like to add my self-signed cert there for development purposes.

like image 279
badunk Avatar asked Jan 08 '14 19:01

badunk


People also ask

Where is my digital certificate stored?

This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root. This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

Where is encryption certificate stored?

Security certificates are used for a range of purposes. Among these include identity verification, file encryption, Web authentication, email security and software signature checking. Every certificate on your business computer is stored in a centralized location called the Certificate Manager.

Where is the server certificate stored?

When you add Certificate Services on a Windows server and configure a CA, a certificate database is created. By default, the database is contained in the %SystemRoot%\System32\Certlog folder, and the name is based on the CA name with an . edb extension.

Where is Internet Explorer certificate store?

Open Internet Explorer. From the Tools menu, choose Internet Options. In the Internet Options dialog box, click the Content tab and then the Certificates button to display the Certificates dialog box.


2 Answers

It seems that while there is no store, but there is a default list of CA's built into the source.

My search ultimately led me to the closest thing to a store, this file of CA's that node.js supports:

https://github.com/joyent/node/blob/master/src/node_root_certs.h

Thus, while it is true that it doesn't do a lookup on the system hosted CA's and that there is no "store" per se, there is a default list of CA's that it accepts.

As mentioned by @Joe and @damphat, you can add your own with the Agent.options.ca property, unfortunately that workaround isn't practical in my case.

like image 53
badunk Avatar answered Oct 11 '22 01:10

badunk


There is not a store. You can pass a ca option to the https request to tell it what CAs you do trust.

From the docs:

The following options from tls.connect() can also be specified. However, a globalAgent silently ignores these.

  • ca: An authority certificate or array of authority certificates to check the remote host against.

In order to specify these options, use a custom Agent.

var options = {
  ...
  ca: CA or [array of CAs]
  ...
};

options.agent = new https.Agent(options);

var req = https.request(options, function(res) {

Ref: http://nodejs.org/api/https.html#https_https_request_options_callback

like image 23
Joe Avatar answered Oct 11 '22 01:10

Joe