Share

How to generate an HTTPS certificate with node-forge

A script that returns a self-signed certificate in Javascript

Author's image
Tamás Sallai
3 mins
Code is available on GitHub
Want to learn AWS serverless development? Click here

Generating HTTPS certificates

Many times I need to generate an HTTPS certificate for a development server. For example, I can use the https module to start a webserver:

import https from "https";

// ... get a certificate somehow

// start HTTPS server
const app = https.createServer({key: cert.privateKey, cert: cert.cert}, async (req, res) => {
	res.setHeader("Content-Type", "text/html");
	res.writeHead(200);
	res.end("Hello world!");
});

app.listen(8081);

But the https.createServer needs a certificate. How to generate it?

The official documentation as well as most articles recommend running OpenSSL commands in advance:

openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem
rm csr.pem

Then on the Javascript-side, dealing with certificates is a matter of reading files:

const options = {
	key: fs.readFileSync('key.pem'),
	cert: fs.readFileSync('cert.pem')
};

But, as usual, I wanted something simpler: an in-process generator that requires no setup and just works when I run the Javascript code.

PEM

For this I used to use the pem library. It has a createCertificate function thats result the https.createServer can use:

import pem from "pem";

const keys = await pem.promisified.createCertificate({days: 1, selfSigned: true});

https.createServer({key: keys.clientKey, cert: keys.certificate}, (req, res) => {
	// ...
}).listen(8081);

This works great, but under the hood it simply calls OpenSSL. I always found it a possible problem.

And indeed it broke recently because of this. So I continued searching for some other solution.

Node-forge

During this search, I stumbled upon this article: https://www.techengineer.one/how-to-generate-x-509v3-self-signed-certificate-in-pem-format-with-node-js/. It describes the solution for my problem.

With a few extra tweaks, this is the solution I ended up with:

import forge from "node-forge";
import crypto from "crypto";

export const generateCert = ({altNameIPs, altNameURIs, validityDays}) => {
	const keys = forge.pki.rsa.generateKeyPair(2048);
	const cert = forge.pki.createCertificate();
	cert.publicKey = keys.publicKey;

	// NOTE: serialNumber is the hex encoded value of an ASN.1 INTEGER.
	// Conforming CAs should ensure serialNumber is:
	// - no more than 20 octets
	// - non-negative (prefix a '00' if your value starts with a '1' bit)
	cert.serialNumber = '01' + crypto.randomBytes(19).toString("hex"); // 1 octet = 8 bits = 1 byte = 2 hex chars
	cert.validity.notBefore = new Date();
	cert.validity.notAfter = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * (validityDays ?? 1));
	const attrs = [{
		name: 'countryName',
		value: 'AU'
	}, {
		shortName: 'ST',
		value: 'Some-State'
	}, {
		name: 'organizationName',
		value: 'Internet Widgits Pty Ltd'
	}];
	cert.setSubject(attrs);
	cert.setIssuer(attrs);

	// add alt names so that the browser won't complain
	cert.setExtensions([{
		name: 'subjectAltName',
		altNames: [
			...(altNameURIs !== undefined ?
				altNameURIs.map((uri) => ({type: 6, value: uri})) :
				[]
			),
			...(altNameIPs !== undefined ?
				altNameIPs.map((uri) => ({type: 7, ip: uri})) :
				[]
			)
		]
	}]);
	// self-sign certificate
	cert.sign(keys.privateKey);

	// convert a Forge certificate and private key to PEM
	const pem = forge.pki.certificateToPem(cert);
	const privateKey = forge.pki.privateKeyToPem(keys.privateKey)

	return {
		cert: pem,
		privateKey
	};
}

This generates an https-compatible certificate:

const cert = generateCert({altNameIPs: ["127.0.0.1", "127.0.0.2"], validityDays: 2});

const app = https.createServer({key: cert.privateKey, cert: cert.cert}, async (req, res) => {
	res.setHeader("Content-Type", "text/html");
	res.writeHead(200);
	res.end("Hello world!");
});

app.listen(8081);

I added the ability to specify the alt name IP and domains, as well as a validity in days. But otherwise, this is the perfect solution: fully JS-based, no outside dependency, and does not require any additional setup.

How does it work?

It uses node-forge which is a pure JS implementation of all primitives related to TLS and other cryptographic tools. It can do a lot more than just generating and signing certificates, and its documentation contains a ton of examples.

Master AWS serverless app development

Well-researched, in-depth content to help you with your serverless journey.

Diving deep
S3 and CloudFront Signed URLs
How to handle files in an AWS serverless environment
Read more >
Specialization
Building GraphQL APIs with AWS AppSync
How to design, implement, and deploy GraphQL-based APIs on the AWS cloud
Read more >
Foundation
Promises and Async/Await in JavaScript
The building blocks of modern asynchronous programming
Read more >
October 25, 2022
Author's image
Tamás Sallai

I came to believe that great software craftsmanship starts with understanding the underlying technologies better. You can't rely on "easy solutions" and "quick fixes" when you want dependable systems. I write about technology to deepen my knowledge and also to help others solve problems.

I'm the author of the Building GraphQL APIs with AWS AppSync, the S3 and CloudFront Signed URLs, and the Promises and Async/Await in JavaScript books.

Check out the Books & Courses page for the other content I made.

Author's image

Hi, I'm Tamás,

I write articles about AWS, Javascript, security, and web technologies.

I'm the author of the Building GraphQL APIs with AWS AppSync, the S3 and CloudFront Signed URLs, and the Promises and Async/Await in JavaScript books.

Sign up to the newsletter and keep in touch.

In this article
Generating HTTPS certificatesPEMNode-forge