[private|local] CA & reverse proxy
47 views
Skip to first unread message
ming
Aug 4, 2013, 11:10:44 PM8/4/13
to nod...@googlegroups.com
Hi,
Currently i'm running a private (or local) CA. i use the private CA to sign client-side certs. In addition, the cert of the server that i run my node.js program on is also signed by my private CA.
To wit, i've the following:
---------------------------------------------
var proxyOptions =
{
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.cert'),
ca: fs.readFileSync('CA.cert'),
requestCert: true,
...
};
https.createServer
(
proxyOptions,
function(req,res)
...
---------------------------------------------
wherein the server.cert is signed by the private CA whose cert is CA.cert.
A quick question: if i replace the server.[key|cert] with key & cert signed by some well known root CA (e.g., VeriSign), will that have any impact on the existing client-side cert authentication? My guess is no since the client-side certs are signed by the private CA whose cert is still in the proxyOptions. Am i right?
Thanks.
Currently i'm running a private (or local) CA. i use the private CA to sign client-side certs. In addition, the cert of the server that i run my node.js program on is also signed by my private CA.
To wit, i've the following:
---------------------------------------------
var proxyOptions =
{
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.cert'),
ca: fs.readFileSync('CA.cert'),
requestCert: true,
...
};
https.createServer
(
proxyOptions,
function(req,res)
...
---------------------------------------------
wherein the server.cert is signed by the private CA whose cert is CA.cert.
A quick question: if i replace the server.[key|cert] with key & cert signed by some well known root CA (e.g., VeriSign), will that have any impact on the existing client-side cert authentication? My guess is no since the client-side certs are signed by the private CA whose cert is still in the proxyOptions. Am i right?
Thanks.
Ben Noordhuis
Aug 5, 2013, 6:09:38 AM8/5/13
to nod...@googlegroups.com
When you pass a CA certificate/chain with the 'ca' option, node.js
won't load any root certificates, just the certificate/chain that you
specified.
Maybe we should add an option that says 'load this CA _and_ the root
certificates.' If you open an issue, we'll look into it.
ming
Aug 5, 2013, 7:26:41 AM8/5/13
to nod...@googlegroups.com
Hi Ben,
Thank you for the reply. i've a few questions about your reply:
> When you pass a CA certificate/chain with the 'ca' option, node.js
> won't load any root certificates, just the certificate/chain that you
> specified.
Why do i need to add the cert of the well known CA (say VeriSign) that signs my server's cert? When clients (real humans or applications) visit my site say via HTTPS or SPDY at
https://foo.bar.com/....
it's the responsibility of the client's browser or application to know of the well known CA's cert for the SSL/TLS handshake, right?
My private CA is only responsible for the client-side cert authentication since the cert for my server, namely foo.bar.com, is no longer signed by my private CA. Am i missing some detail here?
> Maybe we should add an option that says 'load this CA _and_ the root
> certificates.' If you open an issue, we'll look into it.
If needed, i can specify more than one cert in the "ca" of the proxyOptions in the code snippet included earlier. In the node.js TLS:
http://nodejs.org/api/tls.html
you'll find
ca: An array of strings or Buffers of trusted certificates ...
So i can add more than one CA cert if needed but i just don't think i need to do that in this case.
Thanks again.
Thank you for the reply. i've a few questions about your reply:
> When you pass a CA certificate/chain with the 'ca' option, node.js
> won't load any root certificates, just the certificate/chain that you
> specified.
https://foo.bar.com/....
it's the responsibility of the client's browser or application to know of the well known CA's cert for the SSL/TLS handshake, right?
My private CA is only responsible for the client-side cert authentication since the cert for my server, namely foo.bar.com, is no longer signed by my private CA. Am i missing some detail here?
> Maybe we should add an option that says 'load this CA _and_ the root
> certificates.' If you open an issue, we'll look into it.
http://nodejs.org/api/tls.html
you'll find
ca: An array of strings or Buffers of trusted certificates ...
So i can add more than one CA cert if needed but i just don't think i need to do that in this case.
Thanks again.
Ben Noordhuis
Aug 5, 2013, 7:44:21 AM8/5/13
to nod...@googlegroups.com
On Mon, Aug 5, 2013 at 1:26 PM, ming <hseu...@gmail.com> wrote:
> Hi Ben,
> Thank you for the reply. i've a few questions about your reply:
>
>
>> When you pass a CA certificate/chain with the 'ca' option, node.js
>> won't load any root certificates, just the certificate/chain that you
>> specified.
>
> Why do i need to add the cert of the well known CA (say VeriSign) that signs
> my server's cert? When clients (real humans or applications) visit my
> site say via HTTPS or SPDY at
> https://foo.bar.com/....
> it's the responsibility of the client's browser or application to know of
> the well known CA's cert for the SSL/TLS handshake, right?
>
> My private CA is only responsible for the client-side cert authentication
> since the cert for my server, namely foo.bar.com, is no longer signed by my
> private CA. Am i missing some detail here?
Sorry, I must have misunderstood that part. If you're only using the
> Hi Ben,
> Thank you for the reply. i've a few questions about your reply:
>
>
>> When you pass a CA certificate/chain with the 'ca' option, node.js
>> won't load any root certificates, just the certificate/chain that you
>> specified.
>
> Why do i need to add the cert of the well known CA (say VeriSign) that signs
> my server's cert? When clients (real humans or applications) visit my
> site say via HTTPS or SPDY at
> https://foo.bar.com/....
> it's the responsibility of the client's browser or application to know of
> the well known CA's cert for the SSL/TLS handshake, right?
>
> My private CA is only responsible for the client-side cert authentication
> since the cert for my server, namely foo.bar.com, is no longer signed by my
> private CA. Am i missing some detail here?
CA for client certificate verification, then yes, changing the
server's key and certificate to something signed by a well-known CA is
no problem.
Hseu-Ming Chen
Aug 5, 2013, 10:12:36 PM8/5/13
to nod...@googlegroups.com
Thanks for your input again. i gave that a try earlier today and it works without a hitch.
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to a topic in the Google Groups "nodejs" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nodejs/3bJvZnXvOEY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages