Hi Ben,
Thank you for the reply. i've a few questions about your reply:
> When you pass a CA certificate/chain with the 'ca' option, node.js
> won't load any root certificates, just the certificate/chain that you
> specified.
Why do i need to add the cert of the well known CA (say VeriSign) that
signs my server's cert? When clients (real humans or applications) visit
my site say via HTTPS or SPDY at
https://foo.bar.com/....
it's the responsibility of the client's browser or application to know of
the well known CA's cert for the SSL/TLS handshake, right?
My private CA is only responsible for the client-side cert authentication
since the cert for my server, namely foo.bar.com, is no longer signed by my
private CA. Am i missing some detail here?
> Maybe we should add an option that says 'load this CA _and_ the root
> certificates.' If you open an issue, we'll look into it.
If needed, i can specify more than one cert in the "ca" of the proxyOptions
in the code snippet included earlier. In the node.js TLS:
http://nodejs.org/api/tls.html
you'll find
ca: An array of strings or Buffers of trusted certificates ...
So i can add more than one CA cert if needed but i just don't think i need
to do that in this case.
Thanks again.
On Monday, August 5, 2013 6:09:38 AM UTC-4, Ben Noordhuis wrote:
>
> On Mon, Aug 5, 2013 at 5:10 AM, ming <hseu...@gmail.com <javascript:>>
> wrote:
> > Hi,
> > Currently i'm running a private (or local) CA. i use the private CA to
> sign
> > client-side certs. In addition, the cert of the server that i run my
> > node.js program on is also signed by my private CA.
> >
> > To wit, i've the following:
> >
> > ---------------------------------------------
> > var proxyOptions =
> > {
> > key: fs.readFileSync('server.key'),
> > cert: fs.readFileSync('server.cert'),
> > ca: fs.readFileSync('CA.cert'),
> > requestCert: true,
> > ...
> > };
> >
> > https.createServer
> > (
> > proxyOptions,
> > function(req,res)
> > ...
> > ---------------------------------------------
> >
> > wherein the server.cert is signed by the private CA whose cert is
> CA.cert.
> >
> > A quick question: if i replace the server.[key|cert] with key & cert
> signed
> > by some well known root CA (e.g., VeriSign), will that have any impact
> on
> > the existing client-side cert authentication? My guess is no since the
> > client-side certs are signed by the private CA whose cert is still in
> the
> > proxyOptions. Am i right?
> >
> > Thanks.
>
> Alas, no.
>
> When you pass a CA certificate/chain with the 'ca' option, node.js
> won't load any root certificates, just the certificate/chain that you
> specified.
>
> Maybe we should add an option that says 'load this CA _and_ the root
> certificates.' If you open an issue, we'll look into it.
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nodejs@googlegroups.com
To unsubscribe from this group, send email to
nodejs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to nodejs+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
