Node: please provide a way to use system-installed root certificates instead of bundled ones

probably a feature for --configure

/cc @nodejs/crypto @nodejs/build

+1

We need this feature too - I'm working with a corporate that uses RapidSSL - which is not in the bundled certs list (As far as I can see).
On top of that - there just might be self-signed or self verifying authorities that inner networks might need to trust.

Thanks
:)

I like this as well. Can you file a PR?

+1

This is also needed for decrypting corporate firewalls that use self-signed certificates which have been placed into OS cert stores by IT automation.

PR: https://github.com/nodejs/node/pull/8334 should fix this issue.

https://github.com/capriza/syswide-cas provides a temporary workaround by loading certs from system wide directories and automatically using them in conjunction with the bundled root CAs

This is only solved for OpenSSL. In Windows, the system trust store is managed by CertMgr. In macOS it’s Keychain. Both should also be supported.

Please re-open this issue.

Node.js only supports OpenSSL, this feature requested by @kapouer was implemented.

You can open another feature request if you'd like. Be aware that a node feature request, either open or closed, doesn't imply that anyone is going to volunteer to implement it.

Since doing this would require a new OpenSSL cert store, I recommend opening an issue against OpenSSL, or asking on their mailing list. Maybe there is a solution already, or they can point you to previous discussions. I'd be very surprised if this hadn't been requested of them before.

Node.js only supports OpenSSL

How did this work in Windows? AFAIK Windows doesn’t support OpenSSL officially.

Node.js includes a copy of OpenSSL, it doesn't need to be supported by Windows.

To access the system certificate inside of Windows/MacOS, need additional implementation.
It can't be done with OpenSSL.
From my point of view, this issue is partially solved.

In my case, this issue is quite important since big companies restrict access to internal services with an unexportable self-signed certificate(which is located in system keystore) for security concerns.

Is this really still an issue?

@thebigredgeek Yes, in an enterprise environment, the security team strictly prohibits the export of SSO client certificate(which is in system Keystore). And internal services also do not provide any technical account nor token.
If node.js can internally access the SSO client certificate, we could integrate everything base on them. Electron-based app also gets this benefit. We can create desktop-app for the enterprise environment.

If this was completed, how do I use system-installed root certificates instead of bundled ones? It seems like there are tools to explicitly add my certificates to nodejs, but I can't find any documentation about how to get it to forget about its own certificate store, and only use my system store (particularly, without providing any paths).

and only use my system store (particularly, without providing any paths)

If you expect node to magically know where your system's certificate store can be found, it doesn't, bad expectation, but you can point it in the right direction with the --use-openssl-ca <dir> or --openssl-config <file> options (the SSL_CERT_DIR and OPENSSL_CONF environment variables, respectively.)

If you expect node to magically know where your system's certificate store can be found, it doesn't, bad expectation,

No, that's the whole point of Windows keeping certs in a well-known system-managed store in the registry. Native Windows apps look for certs by specifying a StoreLocation (CurrentUser or LocalMachine) and a StoreName (a purpose category), then certs can be enumerated or searched. An individual cert can be located by matching a value to any field (using X509FindType, often FindBySubjectName or FindByThumbprint) and optionally filtering to currently valid certs.

Exporting certificates to the filesystem and keeping it in sync isn't really idiomatic to the platform. It's a lowest-common-denominator approach to cross-platform support.

For the purposes of this issue, node would load the certs from the AuthRoot store in both the CurrentUser and LocalMachine locations to populate its CA list.

As you can probably tell from the --use-openssl-ca switch, node farms out certificate management to openssl and openssl doesn't support what you're asking for.

You could file a feature request with the openssl project but check its mailing list, it's a topic that's come up many times before and there are Reasons why things are the way they are.

Without that context, I can't really address any of that history. It seems like using more than exclusively openssl could be an option. 🤷‍♂️ It's a topic for another forum, I guess.

But there is also a Reason you'll continue to get this request.

I agree with @brianary -- not providing paths is indeed the entire point. I maintain the list of my certificates once and only once in a central location, and the applications I use know to look, without any configuration, for the system certificates that come pre-installed on every operating system. Sure, different operating systems put them in different places. But Windows and Linux aren't the same and always require different treatment. Sure, different distros of linux could put their root certificate stores in different places, but they don't vary very much. The location of the certificates on MacOS is predictable. It's predictable.

If I have to type in a filesystem path to run my interpreted program, there is a code-smell. My program won't work cross-platform, and it will be a giant pain for others to set up (and result in me fielding endless support questions about how to get their certificates installed correctly). It won't work in more strict corporate environments. It won't work in situations where certificates are managed by a 3rd party security division.

As you say, decisions in the internal implementation of node have made it easier for you to not solve this problem, and allow people to find workarounds. But this isn't solved, and it's not magic. Other programs like wget and .NET Core seem to have this down without issue.

From my perspective, it is simple.
If you'd like to make Node runtime behaves just like a usual browser (chromium, puppeteer, ...) and let users expect as same behavior as browsers, this is considerable. (also my preference)
If you would like Node behaves differently and depend more on bundled cert, yes it's not an issue.

Just FYI, from some point of time, Firefox also started to refer system certificates optionally. I think this change makes a lot of sense.

If you want a way forward: open a pull request implementing it for the Big Three (Linux, macOS, Windows) and see how it's received.

Technologies:

• Windows -> CryptoAPI
• macOS -> Security.framework
• Linux -> read /etc/ssl/certs? (My Linux desktop has two cert stores. Which one do you pick? Why?)

The original patch was to use system CA by a system installed OpenSSL. From OpenSSL,

https://mta.openssl.org/pipermail/openssl-users/2018-September/008691.html

OpenSSL does not use any certificate store, on any platform, it is up to the applications to do what they need.

OpenSSL does use $OPENSSLDIR/cert.pem
and $OPENSSL/certs/ as the default CAfile and CApath respectively
via the:

SSL_CTX_set_default_verify_paths()

On Linux systems, the system CA store/OpenSSL maintainer(s) would be alter these paths and install other certificates into these stores (or compatible ones). I know that we have to manage various databases of these things for different software, like Firefox or libnss.

https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store

So for Windows, if you would like Node to use the cert store from Windows, I think it's up to you to provide the code required. Just like it was up to someone to provide the code required to use non-bundled CA list on Linux. I don't think anyone else will start working on this unless there is interest. And for last few years, not much interest.

You have the source code. Add the needed functionality (yourself or hire someone to do this for you). Make a Pull Request. Fix things that need to be fixed to get it accepted into Node proper. This is the power of open source - you have the power to change and improve the program incrementally for the "killer" features you must have.

You're right about open source; I wish my job was set up for me to do this type of thing. Anybody else want to take a crack at it? 😋