0

We are developing a local server app (written in nodejs for now), used by our web site to manipulate local files and folders (browse, upload, download...).

Basically, the customer installs the nodejs app, which starts a local server listening on 127.0.0.1.
Then, when (for instance) a list of local folders is needed on the web site, a JS script queries the local server, which returns the local folders, and they are displayed on the web site.

The problem is when the web site is configured in HTTPS, the web site's JS refuses to communicate with the HTTP-non-S nodejs app.

We are exploring various options :

  • using self-signed certificates deployed with the app, and trusting them on the machine during install, but I feel there will be a LOT of times when it won't work
  • using "proper" certificates for local.example.com, with a DNS entry where local.example.com points to 127.0.0.1, but it seems that distributing private keys to the general public is prohibited by the CGU of most (if not all) certificate authorities.

Now I thought of maybe another mean. Can a "packaged" HTTPS server (written in any language, I don't care), "living" inside an exe file, which is signed with a proper SSL certificate, use the certificate of the app?
I'm not sure if I'm making any sense, I don't know certificates very well...

Thanks!

thomasb
  • 5,816
  • 10
  • 57
  • 92
  • Can please provide a reference for `distributing private keys to the general public is prohibited by the CGU` – AEonAX Sep 30 '16 at 12:15
  • Also refer to this http://stackoverflow.com/a/22258328/2186591 – AEonAX Sep 30 '16 at 12:19
  • Our sysadmin said that (about the CGU), but I haven't checked myself (I am inclined to believe him). And yeah, I saw this question. The public DNS pointing to localhost is interesting, but has other issues: for instance, some of our customers for which we install the app do not have internet access (high-security restrictions). And we have to distribute the private key of a public DNS entry, so it's a high security risk. – thomasb Sep 30 '16 at 14:59
  • Have you thought about adding HOSTS entry for local.example.com on that machine pointing to 127.0.0.1 when installing? – AEonAX Oct 01 '16 at 06:04
  • If your application is an enterprise application, then you can ask IT to make the local DNS server point local.example.com to 127.0.0.1 – AEonAX Oct 01 '16 at 06:13
  • No, we cannot ask them these kind of things, unfortunately. – thomasb Oct 03 '16 at 07:33

1 Answers1

0

We ended up adding a self-signed root CA using certutil :

certutil.exe -user -addstore Root "mycert\rootca.cer"

Since we're adding a root CA, it generates a warning popup that the user has to accept, but it has been deemed acceptable by the powers that be.

There is a "check config" screen that can try to add the certificate again if it hasn't been properly added the first time.

There is a case when the group policies (GPO) prevent trusting self-signed certificates. In this case, certutil has a return code of 0 (the certificate is added) but the root CA is not trusted, so the local server does not work. So, after install, we have to check that the certificate is trusted using:

certutil.exe -user -verifystore Root xxx

(xxx being the certificate serial number). This command does exit with error if the certificate is untrusted either, so we parse the output for CERT_TRUST_IS_UNTRUSTED_ROOT or 0x800b0109.

thomasb
  • 5,816
  • 10
  • 57
  • 92