Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Retrieve built-in root certificates within node application #25824

Closed
LuukDeVille opened this issue Jan 30, 2019 · 8 comments
Closed

Retrieve built-in root certificates within node application #25824

LuukDeVille opened this issue Jan 30, 2019 · 8 comments
Labels
feature request Issues that request new features to be added to Node.js. tls Issues and PRs related to the tls subsystem.

Comments

@LuukDeVille
Copy link

Is there any way to retrieve the built-in root certificates, that are shiped with node (https://github.com/nodejs/node/blob/master/src/node_root_certs.h) from a node application?

Via https.globalAgent.options.ca it is possible to define custom certificates, but the already existing ones are not listed here.

@sam-github sam-github added tls Issues and PRs related to the tls subsystem. feature request Issues that request new features to be added to Node.js. labels Jan 30, 2019
@sam-github
Copy link
Contributor

Not currently. I've considered adding it, but couldn't really think of a use-case. What's yours? I assume you ask for a reason! :-)

@LuukDeVille
Copy link
Author

We have the requirement to add a lot of intermediate CAs via https.globalAgent.options.ca. As the option https.globalAgent.options.ca is going to overwrite the built-in root CAs, we also need to add those root CAs as well. Due to this, my idea was to read the built-in root CAs as well as our intermediate CAs and pass these to https.globalAgent.options.ca.

As there is no option at the moment to get the built-in root CAs, we need to think of getting them somewhere else.

Thus it would be great, if there is an interface to read the built-in root CAs.

@sam-github
Copy link
Contributor

Your use-case seems reasonable to me. No promises on if/when someone will get to this feature, though, sorry.

Have you considered using NODE_EXTRA_CA_CERTS? It does what you want (adds to the CAs without replacing them), but you need them to be in a file, and to set an env variable before node starts, which may or may not work for you.

@LuukDeVille
Copy link
Author

We have considered using NODE_EXTRA_CA_CERTS, but we can not use it due to the constraints you have mentioned.

bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue May 17, 2019
targos pushed a commit that referenced this issue May 20, 2019
Fixes: #25824
PR-URL: #26415
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Ron Korving <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Vse Mozhet Byt <[email protected]>
@khitrenovich
Copy link

@bnoordhuis / @targos - what is the target release for that enhancement, please?

@bnoordhuis
Copy link
Member

@khitrenovich Yeah, there's no simple answer... it will probably go into the next v12.x release but if you're asking about LTS releases, I can't give a precise answer.

@khitrenovich
Copy link

@bnoordhuis So, if it makes its way to one of v12.x releases, it will eventually become LTS once v12 will get to LTS phase... unless I'm missing something in how Node release scheduling works, right?

@bnoordhuis
Copy link
Member

@khitrenovich That's right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request Issues that request new features to be added to Node.js. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants