Where is node's certificate store?

Asked 8/1, 2014 at 19:20 Answered 8/1, 2014 at 21:42

Solved macos node.js ssl ssl-certificate

I am making an https request (using the request module) to a server with a self-signed cert. It throws an error if I don't specify strictSSL: false as an option.

This cert is already trusted on my OS (OSX), such that Chrome doesn't throw an error while accessing a webpage from that server.

I understand different applications/environments may have their own certificate stores. Firefox has its own, and the JVM, for example, is usually at $JAVA_HOME/jre/lib/security/cacerts (on OSX).

My question is, where does node look for its trusted CA's? Is there such a concept? I'd like to add my self-signed cert there for development purposes.

Interline answered 8/1, 2014 at 19:20 Comment(2)

I don't know where they are stored, but you can add CA to this https.globalAgent.options.ca = your CA – Piave 8/1, 2014 at 20:56

see NODE_EXTRA_CA_CERTS – Huge 3/5 at 14:37

There is not a store. You can pass a ca option to the https request to tell it what CAs you do trust.

From the docs:

The following options from tls.connect() can also be specified. However, a globalAgent silently ignores these.

ca: An authority certificate or array of authority certificates to check the remote host against.

In order to specify these options, use a custom Agent.
var options = {
  ...
  ca: CA or [array of CAs]
  ...
};

options.agent = new https.Agent(options);

var req = https.request(options, function(res) {

Ref: http://nodejs.org/api/https.html#https_https_request_options_callback

Travers answered 8/1, 2014 at 21:28 Comment(0)

It seems that while there is no store, but there is a default list of CA's built into the source.

My search ultimately led me to the closest thing to a store, this file of CA's that node.js supports:

https://github.com/joyent/node/blob/master/src/node_root_certs.h

Thus, while it is true that it doesn't do a lookup on the system hosted CA's and that there is no "store" per se, there is a default list of CA's that it accepts.

As mentioned by @Joe and @damphat, you can add your own with the Agent.options.ca property, unfortunately that workaround isn't practical in my case.

Interline answered 8/1, 2014 at 21:42 Comment(1)

Since 7.3 there’s nodejs.org/api/cli.html#cli_node_extra_ca_certs_file which is a bit closer to adding arbitrary ones through the system – Florance 1/12, 2017 at 20:11

There is not a store. You can pass a ca option to the https request to tell it what CAs you do trust.

From the docs:

The following options from tls.connect() can also be specified. However, a globalAgent silently ignores these.

ca: An authority certificate or array of authority certificates to check the remote host against.

In order to specify these options, use a custom Agent.
var options = {
  ...
  ca: CA or [array of CAs]
  ...
};

options.agent = new https.Agent(options);

var req = https.request(options, function(res) {

Ref: http://nodejs.org/api/https.html#https_https_request_options_callback

Travers answered 8/1, 2014 at 21:28 Comment(0)

Recommended topics

Hot tags