Share

How to generate an HTTPS certificate with node-forge

A script that returns a self-signed certificate in Javascript

Author's image
Tamás Sallai
3 mins
Code is available on GitHub
Want to learn AWS serverless development? Click here

Generating HTTPS certificates

Many times I need to generate an HTTPS certificate for a development server. For example, I can use the https module to start a webserver:

import https from "https";

// ... get a certificate somehow

// start HTTPS server
const app = https.createServer({key: cert.privateKey, cert: cert.cert}, async (req, res) => {
	res.setHeader("Content-Type", "text/html");
	res.writeHead(200);
	res.end("Hello world!");
});

app.listen(8081);

But the https.createServer needs a certificate. How to generate it?

The official documentation as well as most articles recommend running OpenSSL commands in advance:

openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem
rm csr.pem

Then on the Javascript-side, dealing with certificates is a matter of reading files:

const options = {
	key: fs.readFileSync('key.pem'),
	cert: fs.readFileSync('cert.pem')
};

But, as usual, I wanted something simpler: an in-process generator that requires no setup and just works when I run the Javascript code.

Book
Building GraphQL APIs with AWS AppSync
How to design, implement, and deploy GraphQL-based APIs on the AWS cloud

PEM

For this I used to use the pem library. It has a createCertificate function thats result the https.createServer can use:

import pem from "pem";

const keys = await pem.promisified.createCertificate({days: 1, selfSigned: true});

https.createServer({key: keys.clientKey, cert: keys.certificate}, (req, res) => {
	// ...
}).listen(8081);

This works great, but under the hood it simply calls OpenSSL. I always found it a possible problem.

And indeed it broke recently because of this. So I continued searching for some other solution.

Node-forge

During this search, I stumbled upon this article: https://www.techengineer.one/how-to-generate-x-509v3-self-signed-certificate-in-pem-format-with-node-js/. It describes the solution for my problem.

With a few extra tweaks, this is the solution I ended up with:

import forge from "node-forge";
import crypto from "crypto";

export const generateCert = ({altNameIPs, altNameURIs, validityDays}) => {
	const keys = forge.pki.rsa.generateKeyPair(2048);
	const cert = forge.pki.createCertificate();
	cert.publicKey = keys.publicKey;

	// NOTE: serialNumber is the hex encoded value of an ASN.1 INTEGER.
	// Conforming CAs should ensure serialNumber is:
	// - no more than 20 octets
	// - non-negative (prefix a '00' if your value starts with a '1' bit)
	cert.serialNumber = '01' + crypto.randomBytes(19).toString("hex"); // 1 octet = 8 bits = 1 byte = 2 hex chars
	cert.validity.notBefore = new Date();
	cert.validity.notAfter = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * (validityDays ?? 1));
	const attrs = [{
		name: 'countryName',
		value: 'AU'
	}, {
		shortName: 'ST',
		value: 'Some-State'
	}, {
		name: 'organizationName',
		value: 'Internet Widgits Pty Ltd'
	}];
	cert.setSubject(attrs);
	cert.setIssuer(attrs);

	// add alt names so that the browser won't complain
	cert.setExtensions([{
		name: 'subjectAltName',
		altNames: [
			...(altNameURIs !== undefined ?
				altNameURIs.map((uri) => ({type: 6, value: uri})) :
				[]
			),
			...(altNameIPs !== undefined ?
				altNameIPs.map((uri) => ({type: 7, ip: uri})) :
				[]
			)
		]
	}]);
	// self-sign certificate
	cert.sign(keys.privateKey);

	// convert a Forge certificate and private key to PEM
	const pem = forge.pki.certificateToPem(cert);
	const privateKey = forge.pki.privateKeyToPem(keys.privateKey)

	return {
		cert: pem,
		privateKey
	};
}

This generates an https-compatible certificate:

const cert = generateCert({altNameIPs: ["127.0.0.1", "127.0.0.2"], validityDays: 2});

const app = https.createServer({key: cert.privateKey, cert: cert.cert}, async (req, res) => {
	res.setHeader("Content-Type", "text/html");
	res.writeHead(200);
	res.end("Hello world!");
});

app.listen(8081);

I added the ability to specify the alt name IP and domains, as well as a validity in days. But otherwise, this is the perfect solution: fully JS-based, no outside dependency, and does not require any additional setup.

How does it work?

It uses node-forge which is a pure JS implementation of all primitives related to TLS and other cryptographic tools. It can do a lot more than just generating and signing certificates, and its documentation contains a ton of examples.

Master AWS serverless app development

Well-researched books and courses to help you with your serverless journey in one single package.

A package of 4 books and 1 course.

Build deep understanding and accelerate your learning of AWS, serverless, and web technologies.

More info and sign up >
October 25, 2022
Author's image
Tamás Sallai

I came to believe that great software craftsmanship starts with understanding the underlying technologies better. You can't rely on "easy solutions" and "quick fixes" when you want dependable systems. I write about technology to deepen my knowledge and also to help others solve problems.

I'm the author of several books and courses.

Author's image

Hi, I'm Tamás,

I write articles about AWS, Javascript, security, and web technologies.

I'm the author of several books and courses.

Free PDF guide

Sign up to our newsletter and download the "Git Tips and Tricks" guide.

In this article
Generating HTTPS certificates PEM Node-forge