I needed to figure out how to parse Mozilla's format recently, so here's a Node program that downloads the CA store from Mozilla and outputs a Node module that exports the complete certificate bundle:
https://gist.github.com/othiym23/9417004 My script is derived from another script that is in turn derived from this script from the cURL project: https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl The URL is in the scripts (and also in src/node_root_certificates.h's header, BTW). F On Fri, Mar 7, 2014 at 10:16 AM, AJ ONeal <[email protected]> wrote: > Hey Forrest, > > Can you point me to the place I can download that Mozilla CA store and > tell me enough about how to convert it to PEM? I'm assuming I'd use > openssl, but if you have any idea of what the source format is called or > any special options I'd need to pass, that would be amazing. > > AJ ONeal > (317) 426-6525 > > > On Fri, Mar 7, 2014 at 2:58 AM, Forrest L Norvell <[email protected]>wrote: > >> If you're trying to lock down your SSL connections, you want the CA certs >> you provide to supplant the built-in ones, or else you have no way of >> removing CAs you don't trust. It's kind of annoying that there's not any >> way to just add a single CA to a request, but at least you have control >> over which CAs you want to use on a per-request basis. >> >> Node uses the Mozilla CA store, and they're compiled directly into the >> node binary (along with the JS code for node's standard modules). The cert >> store is available with Node's source (src/node_root_certs.h), or can be >> downloaded directly from Mozilla and postprocessed into PEM files. >> >> >> On Thursday, March 6, 2014, AJ ONeal <[email protected]> wrote: >> >>> On Thu, Mar 6, 2014 at 6:09 PM, Kevin Ingwersen < >>> [email protected]> wrote: >>> >>>> I dont know what you actually mean by CA - but. >>>> >>>> > https.globalAgent.options >>>> {} >>>> >>>> This comes up in the node REPL, and it clearly shows an empty object - >>>> there is no 'ca' entry. What would be the expected output here? (btw - node >>>> 0.10.24) >>>> >>> >>> When you buy one of the cheaper SSL certificates it will work in >>> browsers and most mobile phones, which are updated frequently, but it may >>> not work in, say, Ubuntu 12.04 LTS. >>> >>> So when you are trying to correct to a site with a relatively new cert >>> that's on the bottom tier (signed by several intermediate certificates) you >>> have to manually add the CA pem files to the chain yourself or you get >>> errors like CERT_UNTRUSTED. >>> >>> I'm no SSL expert, this is just what I've learned from buying a RapidSSL >>> certificate. >>> >>> Originally I got the error UNABLE_TO_VERIFY_LEAF_SIGNATURE, which I was >>> able to rectify by adding the RapidSSL CAs to the chain, but doing so >>> knocked out all of the other CAs. >>> >>> So I can connect to Facebook, which uses a certificate that's in the >>> chain RapidSSL uses, but I can't connect to Twitter or Stripe, which use >>> certificate chains that stem from other SSL cert issuing companies. >>> >>> AJ ONeal >>> >>> -- >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
