Wednesday, February 17, 2016

Node : Setting up the SSL certificates for Express

I'm having a look at node.js wrt. connecting up to ADFS.

This uses the passport plugin.

I've done a subsequent post on ADFS (see link below) but first refer:

Authenticating a NodeJS application using Thinktecture Identity Server v2entity-server-v2-to-authenticate-your-node-application/

I got a lot of the code from here (there's a Gist at the end).

How to Use SSL/TLS with Node.js

Good reference - ADFS will only work with RP that support SSL.

I have a Windows 8 box so I need a version of OpenSSL that runs on Windows. After a bit of googling, I decided to use Shining Light OpenSSL. (and if you get some value out of it, consider donating).

Setup up the environment variable:

set OPENSSL_CONF=C:\Program Files (x86)\OpenSSL-Win32\bin\openssl.cfg

(or wherever you installed it).

As per the second article:

openssl genrsa -des3 -out server.enc.key 1024

openssl req -new -key server.enc.key -out server.csr

openssl rsa -in server.enc.key -out server.key

openssl x509 -req -days xxx -in server.csr -signkey server.key -out server.crt

where xxx = number of days you want the certificate to be valid.

You should now have server.key and server.crt in the directory. We will use these in the next article - refer Node : Federating with ADFS via WS-Fed.

Footnote

These are private keys. The first is protected with a  pass phrase.
  • server.enc.key
  • server.key
To view use:

C:\...>openssl rsa -check -in server.enc.key
Enter pass phrase for server.enc.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICX...


or

C:\...>openssl rsa -check -in server.key
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICX...


This is a Certificate Signing Request (csr)

server.csr

To view use:

C:...>openssl req -text -noout -verify -in server.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=nz, ST=Some-State, L=Akl, O=Private, OU=Identity, CN=joeb/emailAddress=joeb@abc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cd:89:6d:...


This is a self-signed certificate.

server.crt

To view use:

C:...>openssl x509 -text -noout -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            d8:d4:83:49:af:60:f1:3b
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=nz, ST=Some-State, L=Akl, O=Private, OU=Identity, CN=joeb/emailAddress=joeb@abc.com
        Validity
            Not Before: Feb 16 01:12:17 2016 GMT
            Not After : Oct  8 01:12:17 2017 GMT
        Subject: C=nz, ST=Some-State, L=Akl, O=Private, OU=Identity, CN=joeb/emailAddress=joeb@abc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cd:89:6d:...


In Windows terms, copy server.crt to server.cer.

Double-click on server.cer and you'll get the familiar certificate pop up.

Good overview here: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs


Enjoy!

No comments: