4

Sorry but I have no experience with certificates and SSL, especially in Node.js. I need to configure options for express:

var https = require('https');
var options = {
    key: fs.readFileSync('key.pem'),
    cert: fs.readFileSync('csr.pem')
};
https.createServer(options, my_app).listen(3000);

and if I try with self generated certificates (by openssl) all works like a charm.

Now, I need to change the self generated certificates with the true certificates for my domain. In Plesk I have 3 certificates: a CSR, a Private key (.key) and a Certificate (.crt) in text format, and this certificates are already working on the Plesk configuration of my server, so they are ok.

So, what I need to do now? Which of these is the key.pem and which is the csr.pem?

Sorry but I don't know, can anyone explain me?

jww
  • 97,681
  • 90
  • 411
  • 885
shaithana
  • 2,470
  • 1
  • 24
  • 37
  • Also see [Node.js | TLS (SSL)](http://nodejs.org/api/tls.html) documentation. – jww May 05 '16 at 02:46
  • Possible duplicate of [Running SSL node.js server with godaddy gd_bundle.crt](http://stackoverflow.com/q/16224064). The CA may be different, but the steps are basically the same. You need to configure the Node.js server to send the intermediate certificates required for path building at the client. The Node.js server does *not* send the CA certificate. The client must have it and trust it. – jww May 05 '16 at 03:15
  • Thanks for editing @jww – shaithana May 05 '16 at 12:48

1 Answers1

1

It should be this:

key: fs.readFileSync('FILENAME.key'),
cert: fs.readFileSync('FILENAME.crt')

CSR is the request you send to the trusted third party to get a signed certificate. You will receive a certificate back from the trusted third party, and that's what you use with the private key in NodeJS.

jww
  • 97,681
  • 90
  • 411
  • 885
shokulei
  • 85
  • 7
  • To properly configure the server, the server needs to send the chain, and not just the end-entity server certificate. – jww May 05 '16 at 03:09
  • @jww can you explain what you mean for "the chain"? – shaithana May 05 '16 at 12:49
  • 1
    There is a good explanation here https://www.entrust.com/chain-certificates/. You can get these "chain" certificate from the third party that issued/signed your certificate. Normally, you can download them from the same location where you download your .crt/.cer. – shokulei May 05 '16 at 13:08
  • @Giovanni - In addition to Shokulei's comment, you can see how to use OpenSS:'s `s_client` to figure out the intermediates you need to include in the chain at [“verify error:num=20” when connecting to gateway.sandbox.push.apple.com](http://stackoverflow.com/a/23351633/608639). There's not much too it - you just walk back from your end-entity/server certificate, ensuring the Issuer certificate is present in the chain. You can search on the Issuer's *Distinguished Name*, and you often land on a CA's public download area. – jww May 05 '16 at 15:10