Nodejitsu

Save time managing and deploying your node.js app. Code faster with jitsu and npm

Why node-x509 was created and SSL certificate headaches

About the author

Name
Location
Worldwide
nodejitsu nodejitsu

Here at Nodejitsu, we have many systems that interlink and communicate with each other as separate services.

Two of those services include our webops platform, and our SSL certificate validation service. Some of you may have ran into some issues in regards to a wildcard domain certificate, but this is now a thing of the past!

I spent a couple of days about two weeks ago writing a completely new certificate parser, built natively for Node. Its name is node-x509, or simply x509 on npm, and it's here to make certtificate parsing a breeze.

Here's an example of node-x509 in action:

var x509 = require('x509');

var cert = x509.parseCert(__dirname + '/certs/nodejitsu.com.crt');  
/*
cert = { subject:  
   { countryName: 'US',
     postalCode: '10010',
     stateOrProvinceName: 'NY',
     localityName: 'New York',
     streetAddress: '902 Broadway, 4th Floor',
     organizationName: 'Nodejitsu',
     organizationalUnitName: 'PremiumSSL Wildcard',
     commonName: '*.nodejitsu.com' },
  issuer: 
   { countryName: 'GB',
     stateOrProvinceName: 'Greater Manchester',
     localityName: 'Salford',
     organizationName: 'COMODO CA Limited',
     commonName: 'COMODO High-Assurance Secure Server CA' },
  notBefore: '10/29/2012 00:00:00 GMT',
  notAfter: '11/26/2014 23:59:59 GMT',
  altNames: [ '*.nodejitsu.com', 'nodejitsu.com' ] }
*/

Before this was written, we were making one or more function calls and using an OpenSSL child_process just to get certificate information. If we were getting a raw string or a file, we then had to differ the child_process call so that we could .write() the raw string through the child's stdin. node-x509 doesn't care whether it's a file or string. It will first try reading it as a raw string, and then try to read as a file. So there is a fallback built in! No need to open another child_process and then .write() to its input with a raw string. You can see the source for how the fallback works here, and the complete usage documentation here.

The main problem we had with OpenSSL, other than their lack of documentation, is that there is no simple way to dump extension information for a certificate from their command line tool. Since there is no way for us to easily dump the extensions from the command line, we couldn't get to your alternate name through the child_process calls. This caused errors stating that your certificate was invalid if you were trying to add a domain in the alternate names. node-x509 takes care of this problem.

I would absolutely encourage you to check out node-x509 if you have the need for a simple X509 solution. You can install this module from NPM with npm install x509. I also encourage feedback, pull requests, and please file a bug if you find one!