CODEWITHSUNDEEP
node.jssslexpresshttps
mhkeller
mhkeller

Reputation: 712

Setting https on expressjs PEM routines:PEM_read_bio:no start line

A few similar threads exist but none has a checked answer or much discussion. I'm trying to setup an https server on express js but I'm getting

crypto.js:100
      c.context.setKey(options.key);
            ^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

I generated my .csr and .key files with

  openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr

One suggestion was to convert the .csr to a .pem by following these instructions: http://silas.sewell.org/blog/2010/06/03/node-js-https-ssl-server-example/

That didn't work.

The express.js docs (http://nodejs.org/api/https.html) show both of these files as .pem, however. If that's the issue, how would you convert a .key file to a .pem? This threat is partially helpful How to get .pem file from .key and .crt files? but if anyone knows what expressjs requires, I feel that's the missing component.

How would I check that the files are properly in ANSI, or convert them if not?

There is also some discussion on whether the file should begin with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----

Any help is greatly appreciated.

Upvotes: 0

Views: 5247

Answers (1)

knowtheory
knowtheory

Reputation: 1055

So i think there's at least a little bit of terminological confusion, and the node.js example you have there doesn't help by renaming everything to .pem.

Here's a general overview for how SSL works:

You generate a pair of public and private keys. For our purposes the former is your "certificate signing request" (CSR for short) and the latter is your private signing key (just "your key").

If you wanted to generate a self-signed certificate (this is useful for local testing purposes) you can turn around and use your key and your CSR to generate a certificate. This link http://www.akadia.com/services/ssh_test_certificate.html has a pretty clear run down of how to do that on a *nix based system.

For the purposes of web browsers, SSL certificates need to be co-signed by a trusted authority, e.g. a Certificate Authority (CA). You pay a CA to co-sign your cert, and vouch for your authenticity with browser vendors (who will in turn display a green padlock for your site when your website presents its certificate to browsers).

The co-signing process starts with you uploading your CSR to your CA. They will then take that CSR and generate your certificate. They will then provide you with a couple of certificates, your certificate, their root certificate, and possibly some intermediate certificates.

You then need to form a combined certificate that proves a chain of authenticity back to browsers. You do this literally just by concatenating your certificate, followed by the intermediate certificates (in whatever order was specified) ending with the root certificate. This combined certificate is what you hand to your web server.

In order to enable your web server to serve over SSL, you need to hand it your (combined) certificate as its public encryption key (which it provides to web browsers upon request), and your private encryption key, so that it can decrypt the traffic sent to it by web browsers.

So. Now with all of that in mind, you should take that CSR that you have and provide it to your CA, and get the various certificates back, concatenate them, and then use that w/ your private key in your express server.

Upvotes: 8

Related Questions