Reputation: 10496
node certificate store, does node read only from hard coded list of certificates?
After struggling for a while, is there any way to add new certificate to the list of certificates node trusts?
It seems that node will trust only to certificates stored in hard coded list of certificates: https://github.com/nodejs/node/blob/master/src/node_root_certs.h
So for example, node app should communicate with https://foo-bar-baz.com that use self signed certificate, causing request to that domain to return something like:
[RequestError: Error: certificate has expired]
Apparently how this can be fixed in java is adding https://foo-bar-baz.comcertificate to $JAVA_HOME/lib/security/cacerts.
Does node only read certificates from mentioned hard coded list? or it can read also from some OS certificate store? If just from hard coded list:
- Why? What can be the reason to implement it in that way?
- If some certificate gets forged, only what one can do is to wait next node version?
- If one want to add self-signed certificate, impossible?
(One could edit probably hard coded list to add/remove certificate, but i wouldn't feel comfortable with changing node source, also from similar question Where is node's certificate store? one could add certificate while doing request but it is not in scope of this question. Similar question is posted before 2 years, and from what i have investigated situation is the same today)
Upvotes: 14
Views: 1429
Answers (1)
Reputation: 28285
You are calling them hard coded "list of certificates" ... the list is Certificate Granting Authorities, not certificates ... current behaviour is intentional for good reasons ... it would be very bad if a web server (nodejs) rendered a Green Padlock for unvalidated toy self signed certs
I suggest you use a better technique to synthesize your certificates which will give you valid certs which enable that Green Padlock ...
Run through this tutorial to get valid certs (free) for your domain which are production ready ... also gr8 for kicking tyres : https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/
Upvotes: 3
Related Questions
- SSL Certificate add failed when binding to port
- Using a custom truststore in java as well as the default one
- How to add a custom CA Root certificate to the CA Store used by pip in Windows?
- How do I use a self signed certificate for a HTTPS Node.js server?
- Where is node's certificate store?
- Firefox 54 Stopped Trusting Self-Signed Certs
- net::ERR_INSECURE_RESPONSE while making ajax request from node-webkit
- Does running a node HTTPS server with a self-signed certificate defeat the purpose of using HTTPS?
- SSL handshake fails with - a verisign chain certificate - that contains two CA signed certificates and one self-signed certificate