Jonathon Blok Jonathon Blok - 2 months ago 9
Node.js Question

Installing a RapidSSL certificate on node/express

I am massively confused about how to configure SSL on my node server!

What I have done do far is:

-Create a self signed key and certificate on my local machine for testing locally

-Added this code to my express set up

var privateKey = fs.readFileSync('privatekey.pem', 'utf8');
var certificate = fs.readFileSync('certificate.pem', 'utf8');
https.createServer({
key: privateKey,
cert: certificate
}, app).listen(port);


This is fine locally (I get browser errors but I understand that's because I self signed and I'm not a trusted authority).

Now I want to deploy with a real certificate so I bought one from RapidSSL. They sent me two keys, in plaintext in the email, both in the format

-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----


One is labelled
Web server CERTIFICATE
, the other
INTERMEDIATE CA
.

I copied the content of
Web server CERTIFICATE
to a new file named (for the sake of this question)
prodPrivatekey.pem
and I moved
INTERMEDIATE CA
to
prodCertificate.pem
. Then I replaced the paths in the code above.




First off, could someone please tell me if this course of action is correct? Assume I know almost nothing about the inner workings of SSL certs!

Secondly, if it is, the error I am getting with this setup is
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
. The only help I can find is this question Node.js https pem error: routines:PEM_read_bio:no start line but the help here seems to relate to self signed certificates.

Thank you for any help!

Answer
var privateKey = fs.readFileSync('privatekey.pem', 'utf8');

privateKey should be your private key. You would not have given this to or received this from RapidSSL.

var certificate = fs.readFileSync('certificate.pem', 'utf8');

certificate should be one RapidSSL has labeled Web server CERTIFICATE

That leaves INTERMEDIATE CA. This is an intermediate certificate (between your and RapidSSL's root certificate). You would need to include it in your app otherwise certain browsers such as those on Android will see an error indicating "untrusted certificate" or something of that nature.

To include it in your config, you would do something like this:

var intermediateCertificate = fs.readFileSync('intermediate.pem', 'utf8');
https.createServer({
    key: privateKey,
    cert: certificate,
    ca: [ intermediateCertificate ]
}, app).listen(port);

Once this works and if your site is public, test your site's SSL configuration using an online scanner such as SSL Labs Server Test to see if your SSL config is secure (score A or A+). Depending on the version of node you're running, the defaults may not be secure enough.