Search code examples
node.jsgosslopensslssl-certificate

Get SSL certificate keychain pairs from leaf to root in Nodejs using Hostname or pem file

I am trying to fetch all the certificates from of ssl using pem or hostname but its returning root certificate only.

I tried following code,

const conf = {
                insecureSkipVerify: true
            }

            const conn = tls.connect(443, 'www.facebook.com', conf, () => {
                const certs = conn.getPeerCertificate()
                console.log(`\n PeerCertificate: ${JSON.stringify(certs)}`)
            })

            conn.on('error', (err: any) => {
                console.log('Error in Dial', err)
            })

            conn.on('close', () => {
                conn.destroy()
            })

With pem file i tried following code block

        // get the SSL certificates from x5u url
        const certificates = (await axios.get(x5u)).data as string

        // getting object of a PEM encoded X509 Certificate.
        const certificate = new X509Certificate(certificates)
        console.log('X509Certificate :-', JSON.stringify(certificate.toLegacyObject()))

instead of returning full keychain path its returning root certificate only. I am checking all the leaf to root certificates in ths SSL-Checker

In golang its returning all the certificates easily but in nodejs its not. I used following code in golang and its working well

    conf := &tls.Config{
        InsecureSkipVerify: true,
    }

    conn, err := tls.Dial("tcp", "www.smartsensesolutions.com:443", conf)
    if err != nil {
        log.Println("Error in Dial", err)
        return
    }
    defer conn.Close()
    certs := conn.ConnectionState().PeerCertificates

    for _, cert := range certs {
        fmt.Printf("\nDNSNames: %s \n", cert.DNSNames)
        fmt.Printf("Common Name: %s \n", cert.Issuer.CommonName)
        fmt.Printf("Expiry: %s \n", cert.NotAfter.Format("2006-January-02"))
        fmt.Printf("Valid from: %s \n", cert.NotBefore.Format("2006-January-02"))
        fmt.Printf("SerialNumber: %d \n", cert.SerialNumber)
        fmt.Printf("Signature Algorithm: %s \n", cert.SignatureAlgorithm.String())
        fmt.Printf("Issuer Name: %s\n\n", cert.Issuer)
    }

Please help me in nodejs to get all the SSL keychain pairs from host or pem file

I need following output

enter image description here

Solution

  • 'keychain pair' is not a defined term and has no clear meaning. If you mean keypair i.e. the publickey and privatekey, you can't get the privatekey or keypair of an SSL/TLS server or any of the various CAs used in its trust chain (aka path) (which may be exactly two, less than two, or more than two).

    TLSSocket.getPeerCertificate() returns the server (end-entity or leaf) cert NOT the root. As clearly stated in the documentation, which I guess you didn't read because that would require like doing something vaguely resembling work, if you use getPeerCertificate(true) it returns a linked list containing the full chain. See the example I just posted a few days ago (albeit for a different purpose) at Unable to verify the first certificate in Nodejs while making request and cant install packages using npm .

    An x5u URL is used only for JOSE/JWK, not for SSL/TLS, and an X509Certificate object in nodejs contains only one certificate, which will be the FIRST one in the supplied data; for x5u data per rfc7517 the first cert MUST NOT be the root.