CertificateGeneration.sh

###
#Step 1 - Generate server certificates etc...  (most of this code is horribly ripped off from nodejs docs currently -> http://nodejs.org/docs/latest/api/tls.html)
###
 
#Assuming your starting from a clean directory

mkdir authority
cd authority

#generate private key
openssl genrsa -out authority-private-key.pem 4096

#generate signing request
openssl req -new -key authority-private-key.pem -out authority-certificate-signing-request.pem

#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in authority-certificate-signing-request.pem -signkey authority-private-key.pem -out authority-certificate.pem

cd ../

mkdir server
cd server
 
#generate private key
openssl genrsa -out server-private-key.pem 4096
 
#generate signing request
openssl req -new -key server-private-key.pem -out server-certificate-signing-request.pem
 
#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in server-certificate-signing-request.pem -signkey ../authority/authority-private-key.pem -out server-certificate.pem
 
###
#Step 2 - now for the client certificates
###
cd ../
mkdir client
cd client
 
 
#generate private key
openssl genrsa -out client-private-key.pem 4096
 
#generate signing request
openssl req -new -key client-private-key.pem -out client-certificate-signing-request.pem
 
#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in client-certificate-signing-request.pem -signkey ../authority/authority-private-key.pem -out client-certificate.pem
 

client.js

var tls = require('tls');
var fs = require('fs');

var options = {
  // These are necessary only if using the client certificate authentication (so yeah, you need them)
  key: fs.readFileSync('client-private-key.pem'),
  cert: fs.readFileSync('client-certificate.pem'),

  // This is necessary only if the server uses the self-signed certificate
  ca: [ fs.readFileSync('../server/server-certificate.pem') ]
};

var cleartextStream = tls.connect(443, options, function() {
  console.log('client connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  process.stdin.pipe(cleartextStream);
  process.stdin.resume();
});
cleartextStream.setEncoding('utf8');
cleartextStream.on('data', function(data) {
  console.log(data);
});
cleartextStream.on('end', function() {
  server.close();
});

server.js

var tls = require('tls');
var fs = require('fs');

var options = {
  key: fs.readFileSync('server-private-key.pem'),
  cert: fs.readFileSync('server-certificate.pem'),

  // This is necessary only if using the client certificate authentication.
  // Without this some clients don't bother sending certificates at all, some do
  requestCert: true,
 
  // Do we reject anyone who certs who haven't been signed by our recognised certificate authorities
  rejectUnauthorized: true

  // This is necessary only if the client uses the self-signed certificate and you care about implicit authorization
  ca: [ fs.readFileSync('../client/client-certificate.pem') ]

};

var server = tls.createServer(options, function(cleartextStream) {

  //Show the certificate info as supplied by the client
  console.log(cleartextStream.getPeerCertificate());

  console.log('server connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  cleartextStream.write("welcome!\n");
  cleartextStream.setEncoding('utf8');
  cleartextStream.pipe(cleartextStream);
});
server.listen(443, function() {
  console.log('server bound');
});