TLS certificate inspection example (using nodejs)

CertificateGeneration.sh

###
#Step 1 - Generate server certificates etc...  (most of this code is horribly ripped off from nodejs docs currently -> http://nodejs.org/docs/latest/api/tls.html)
###

#Assuming your starting from a clean directory

mkdir server
cd server

#generate private key
openssl genrsa -out server-private-key.pem 4096

#generate signing request
openssl req -new -key server-private-key.pem -out server-certificate-signing-request.pem

#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in server-certificate-signing-request.pem -signkey server-private-key.pem -out server-certificate.pem

###
#Step 2 - now for the client certificates
###
cd ../
mkdir client
cd client


#generate private key
openssl genrsa -out client-private-key.pem 4096

#generate signing request
openssl req -new -key client-private-key.pem -out client-certificate-signing-request.pem

#self sign the request (or send off the Verisign etc etc)
openssl x509 -req -in client-certificate-signing-request.pem -signkey client-private-key.pem -out client-certificate.pem

###
# Step 3 - create some code (copy + pasta)
###

# Copy the server.js file to the server folder, and the client.js file to client folder
# Make sure you have 2 terminal windows open
# Goto the server folder in terminal window 1
sudo node server.js
# Goto the client folder in terminal window 2
node client.js
# See output in terminal window 1
# Profit (or better yet improve this code so it's actually more useful

client.js

var tls = require('tls');
var fs = require('fs');

var options = {
  // These are necessary only if using the client certificate authentication (so yeah, you need them)
  key: fs.readFileSync('client-private-key.pem'),
  cert: fs.readFileSync('client-certificate.pem'),

  // This is necessary only if the server uses the self-signed certificate
  ca: [ fs.readFileSync('../server/server-certificate.pem') ]
};

var cleartextStream = tls.connect(443, options, function() {
  console.log('client connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  process.stdin.pipe(cleartextStream);
  process.stdin.resume();
});
cleartextStream.setEncoding('utf8');
cleartextStream.on('data', function(data) {
  console.log(data);
});
cleartextStream.on('end', function() {
  server.close();
});

server.js

var tls = require('tls');
var fs = require('fs');

var options = {
  key: fs.readFileSync('server-private-key.pem'),
  cert: fs.readFileSync('server-certificate.pem'),

  // This is necessary only if using the client certificate authentication.
  // Without this some clients don't bother sending certificates at all, some do
  requestCert: true,
 
  // Do we reject anyone who certs who haven't been signed by our recognised certificate authorities
  rejectUnauthorized: true

  // This is necessary only if the client uses the self-signed certificate and you care about implicit authorization
  ca: [ fs.readFileSync('../client/client-certificate.pem') ]

};

var server = tls.createServer(options, function(cleartextStream) {

  //Show the certificate info as supplied by the client
  console.log(cleartextStream.getPeerCertificate());

  console.log('server connected',
              cleartextStream.authorized ? 'authorized' : 'unauthorized');
  cleartextStream.write("welcome!\n");
  cleartextStream.setEncoding('utf8');
  cleartextStream.pipe(cleartextStream);
});
server.listen(443, function() {
  console.log('server bound');
});

Thanks for doing this, very helpful.

By any chance do you know how to inspect a cert while using Express? I can't seem to get getPeerCertificate() working with it.

@alexchantavy: it should be in the request object. req.connection.getPeerCertificate()

cleartextStream.on('end', function() {
  server.close();
});

server is not defined

@sandfox: at line #24, client.js, where do you get variable server defined?