Hi Ben, Thank you for the reply. i've a few questions about your reply: > When you pass a CA certificate/chain with the 'ca' option, node.js > won't load any root certificates, just the certificate/chain that you > specified.
Why do i need to add the cert of the well known CA (say VeriSign) that signs my server's cert? When clients (real humans or applications) visit my site say via HTTPS or SPDY at https://foo.bar.com/.... it's the responsibility of the client's browser or application to know of the well known CA's cert for the SSL/TLS handshake, right? My private CA is only responsible for the client-side cert authentication since the cert for my server, namely foo.bar.com, is no longer signed by my private CA. Am i missing some detail here? > Maybe we should add an option that says 'load this CA _and_ the root > certificates.' If you open an issue, we'll look into it. If needed, i can specify more than one cert in the "ca" of the proxyOptions in the code snippet included earlier. In the node.js TLS: http://nodejs.org/api/tls.html you'll find ca: An array of strings or Buffers of trusted certificates ... So i can add more than one CA cert if needed but i just don't think i need to do that in this case. Thanks again. On Monday, August 5, 2013 6:09:38 AM UTC-4, Ben Noordhuis wrote: > > On Mon, Aug 5, 2013 at 5:10 AM, ming <hseu...@gmail.com <javascript:>> > wrote: > > Hi, > > Currently i'm running a private (or local) CA. i use the private CA to > sign > > client-side certs. In addition, the cert of the server that i run my > > node.js program on is also signed by my private CA. > > > > To wit, i've the following: > > > > --------------------------------------------- > > var proxyOptions = > > { > > key: fs.readFileSync('server.key'), > > cert: fs.readFileSync('server.cert'), > > ca: fs.readFileSync('CA.cert'), > > requestCert: true, > > ... > > }; > > > > https.createServer > > ( > > proxyOptions, > > function(req,res) > > ... > > --------------------------------------------- > > > > wherein the server.cert is signed by the private CA whose cert is > CA.cert. > > > > A quick question: if i replace the server.[key|cert] with key & cert > signed > > by some well known root CA (e.g., VeriSign), will that have any impact > on > > the existing client-side cert authentication? My guess is no since the > > client-side certs are signed by the private CA whose cert is still in > the > > proxyOptions. Am i right? > > > > Thanks. > > Alas, no. > > When you pass a CA certificate/chain with the 'ca' option, node.js > won't load any root certificates, just the certificate/chain that you > specified. > > Maybe we should add an option that says 'load this CA _and_ the root > certificates.' If you open an issue, we'll look into it. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.