Rss Feed Tweeter button Facebook button Technorati button Reddit button Linkedin button Webonews button Delicious button Digg button Flickr button Stumbleupon button Newsvine button

A Waage Blog

Ruby, Rails, Life

Archive for March, 2012

Install Comodo PositiveSSL Certificate with Node.js

with 5 comments

So today I tried to install the cheap Comodo PositiveSSL certificate to use on my Node.js / express.js server. Unfortunately, all the documentation and examples of installing an SSL certificate on a Node.js server only mention two options in the createServer() method (See my full example here) :

var https = require('https');
var fs = require("fs");

var https_options = {
  key: fs.readFileSync("/path/to/server.key"),
  cert: fs.readFileSync("/path/to/mydomain.crt")
};
var https_server = https.createServer(https_options);

However, with the PositiveSSL certificate, Comodo will actually send you 3 files:
1) PositiveSSLCA2.crt
2) AddTrustExternalCARoot.crt
3) mydomain.crt

This is quite confusing for someone who doesn’t really understand (nor want to understand) all the details of how an SSL certificate works. Which one do I use for the cert: option??

Naturally, I started with the mydomain.crt file. This led to a cryptic web browser error message:
“this certificate was signed by an unknown authority”

So, a bit of googling found that when installing the PositiveSSL cert on Apache servers, you must use a chain file (mod_ssl option: SSLCertificateChainFile). If you check the Apache mod_ssl documentation you will see that this file is a concatenation of certificate files:

“Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.”

So, what you have to do is the following:
1) Create a “bundle” file by concatenating the PositiveSSLCA2 and AddTrustExternalCARoot certificates

cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > mydomain.ca-bundle

2) Add this certificate as the “ca” option when creating your Node.js sever:

var https = require('https');
var fs = require("fs");

var https_options = {
  ca: fs.readFileSync("/path/to/mydomain.ca-bundle"),
  key: fs.readFileSync("/path/to/server.key"),
  cert: fs.readFileSync("/path/to/mydomain.crt")
};
var https_server = https.createServer(https_options);

This should properly set up the CA chain so that browsers can verify the SSL certificate.

Written by Andrew Waage

March 4th, 2012 at 5:42 pm