nandanv2702/https-demo

A simple demo of an https server using NodeJS

Generating an SSL Certificate for Development

Here's all the steps I followed to create an SSL certificate for the API. Here's an outline of the same:

1. Generate a Certificate Authority - we import the generated file to Chrome and add it to our Trusted Root Certificates
2. Create a Private Key - this is what we use to "sign" a new certificate signing request
3. Create a Certificate Signing Request - done using the Private Key
4. Create a Config File - sets up DNS stuff for localhost
5. Generate a Public Certificate - signed with Private Key and by Certificate Authority
6. Forward Secrecy - from NodeJS documentation using Diffie-Hellman key-agreement protocol

IMPORTANT NOTE: if you're prompted for a Common Name in any of the following commands, enter localhost

Use Node version 16.10.0

• Check version using node --version
• Switch version using nvm use 16.10.0
• Install it using nvm i 16.10.0). This ensures TLS v1.3 is enforced (better security).

All OpenSSL-related tasks will occur in a folder titled certs in this repo. Run the following commands to set it up:

mkdir certs
cd certs

Let's proceed with the steps to generate a Root CA and certificate.

Generate a Certificate Authority

Step 1: Generate a Private Key

openssl genrsa -out rootCAKey.pem 4096

Step 2: Generate a Self-Signed Root Certificate Authority

openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem

Create a Private Key

openssl genrsa -out server-key.pem 4096

Create a Certificate Signing Request

openssl req -new -key server-key.pem -out server-csr.pem

touch v3.ext
nano v3.ext

Create a Config File

This file can help "resolve" the DNS to localhost. I was facing the issue before where it said it couldn't verify the 'Common Name' of the certificate. I tried using 127.0.0.1, localhost, localhost:3001, https://localhost:3001, and so on, however, that didn't resolve it.

The following solution helps get around that.

This will create a new file v3.ext and open a text editor. Add the following contents to the file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

Exit the file by clicking Ctrl X followed by y to save the changes.

You can also add an IP address to alt_names in the following way

IP.1 = 0.0.0.0

Using this extensions file, we'll finally generate a public certificate

Generate a Public Certificate

openssl x509 -req -in server-csr.pem -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server-cer.pem -days 500 -sha256 -extfile v3.ext

Verify Certificate Contents

openssl x509 -in server-cer.pem -text -noout

Forward Secrecy

Intense security stuff that's apparently good

openssl dhparam -outform PEM -out dhparam.pem 2048

Some Helpful Links

• DigiCert
• Blog with DNS Workaround
• How to Add Certificate Authority in Chrome
• Pointing an IP address to Self-Signed Certificate