/nodejs-certificate-auth

Demo for Client Certificate Authentication with Node.js Tutorial

Primary LanguageJavaScriptMIT LicenseMIT

Client Certificate Authentication (mTLS) with Node.js

This is demo on how to do client authentication with certificates, mTLS or mutual TLS - as opposed to username and passwords with out of the box (OOTB) Node.js.

This demo has a server with two clients:

  • "Alice" who has a server-signed trusted certificate
  • "Bob" who has an invalid self-signed certificate

Diagram

Based on the following tutorials:

Demo: How to Use

First install required dependencies with npm install. Then the demo works as follows:

Step 1 - Start Server

We start a sever that by default only accepts requests authenticated by client certificates

npm run server

You can test this is working by opening https://localhost:4433/ in your browser.

Step 2 - Test Valid Client (Alice)

Alice has a valid certificate issued by server, so she can talk to the server:

$ npm run valid-client

> node ./client/valid-app.js

Hello Alice, your certificate was issued by localhost!

Step 3 - Test Invalid Client (Bob)

Bob has a self-issued certificate, which is rejected by the server:

$ npm run invalid-client

> node ./client/invalid-app.js

Sorry Bob, certificates from Bob are not welcome here.

Reference - Introduction to Creating Certificates

Server Certificates

  • CN: localhost
  • O: Client Certificate Demo
openssl req \
	-x509 \
	-newkey rsa:4096 \
	-keyout server/server_key.pem \
	-out server/server_cert.pem \
	-nodes \
	-days 365 \
	-subj "/CN=localhost/O=Client\ Certificate\ Demo"

This command shortens following three commands:

  • openssl genrsa
  • openssl req
  • openssl x509

which generates two files:

  • server_cert.pem
  • server_key.pem

Create Client Certificates

For demo, two users are created:

  • Alice, who has a valid certificate, signed by the server
  • Bob, who creates own certificate, self-signed

Create Alice's Certificate (server-signed and valid)

We create a certificate for Alice.

  • sign alice's Certificate Signing Request (CSR)...
  • with our server key via -CA server/server_cert.pem and -CAkey server/server_key.pem flags
  • and save results as certificate
# generate server-signed (valid) certifcate
openssl req \
	-newkey rsa:4096 \
	-keyout client/alice_key.pem \
	-out client/alice_csr.pem \
	-nodes \
	-days 365 \
	-subj "/CN=Alice"

# sign with server_cert.pem
openssl x509 \
	-req \
	-in client/alice_csr.pem \
	-CA server/server_cert.pem \
	-CAkey server/server_key.pem \
	-out client/alice_cert.pem \
	-set_serial 01 \
	-days 365

Create Bob's Certificate (self-signed and invalid)

Bob creates own without our server key.

# generate self-signed (invalid) certifcate
openssl req \
	-newkey rsa:4096 \
	-keyout client/bob_key.pem \
	-out client/bob_csr.pem \
	-nodes \
	-days 365 \
	-subj "/CN=Bob"

# sign with bob_csr.pem
openssl x509 \
	-req \
	-in client/bob_csr.pem \
	-signkey client/bob_key.pem \
	-out client/bob_cert.pem \
	-days 365

Notes

  • Let's Encrypt is a "free, automated, and open" Certificate Authority
  • PEM: Privacy Enhanced Mail is a Base64 encoded DER certificate

OpenSSL commands

Command Documentation Description
genrsa Docs Generates an RSA private key
req Docs Primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
x509 Docs The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings.

View all openssl commands →