Client Certificate Authentication (mTLS) with Node.js

This is demo on how to do client authentication with certificates, mTLS or mutual TLS - as opposed to username and passwords with out of the box (OOTB) Node.js.

This demo has a server with two clients:

"Alice" who has a server-signed trusted certificate
"Bob" who has an invalid self-signed certificate

Based on the following tutorials:

Authentication using HTTPS client certificates
Author: Andras Sevcsik-Zajácz, Web technology enthusiast
HTTPS Authorized Certs with Node.js
Author: Anders Brownworth, Rethinking money @CirclePay | Co-taught the Blockchain class at MIT

Demo: How to Use

First install required dependencies with npm install. Then the demo works as follows:

Step 1 - Start Server

We start a sever that by default only accepts requests authenticated by client certificates

npm run server

You can test this is working by opening https://localhost:4433/ in your browser.

Step 2 - Test Valid Client (Alice)

Alice has a valid certificate issued by server, so she can talk to the server:

$ npm run valid-client

> node ./client/valid-app.js

Hello Alice, your certificate was issued by localhost!

Step 3 - Test Invalid Client (Bob)

Bob has a self-issued certificate, which is rejected by the server:

$ npm run invalid-client

> node ./client/invalid-app.js

Sorry Bob, certificates from Bob are not welcome here.

Reference - Introduction to Creating Certificates

Server Certificates

CN: localhost
O: Client Certificate Demo

openssl req \
	-x509 \
	-newkey rsa:4096 \
	-keyout server/server_key.pem \
	-out server/server_cert.pem \
	-nodes \
	-days 365 \
	-subj "/CN=localhost/O=Client\ Certificate\ Demo"

This command shortens following three commands:

openssl genrsa
openssl req
openssl x509

which generates two files:

server_cert.pem
server_key.pem

Create Client Certificates

For demo, two users are created:

Alice, who has a valid certificate, signed by the server
Bob, who creates own certificate, self-signed

Create Alice's Certificate (server-signed and valid)

We create a certificate for Alice.

sign alice's Certificate Signing Request (CSR)...
with our server key via -CA server/server_cert.pem and -CAkey server/server_key.pem flags
and save results as certificate

# generate server-signed (valid) certifcate
openssl req \
	-newkey rsa:4096 \
	-keyout client/alice_key.pem \
	-out client/alice_csr.pem \
	-nodes \
	-days 365 \
	-subj "/CN=Alice"

# sign with server_cert.pem
openssl x509 \
	-req \
	-in client/alice_csr.pem \
	-CA server/server_cert.pem \
	-CAkey server/server_key.pem \
	-out client/alice_cert.pem \
	-set_serial 01 \
	-days 365

Create Bob's Certificate (self-signed and invalid)

Bob creates own without our server key.

# generate self-signed (invalid) certifcate
openssl req \
	-newkey rsa:4096 \
	-keyout client/bob_key.pem \
	-out client/bob_csr.pem \
	-nodes \
	-days 365 \
	-subj "/CN=Bob"

# sign with bob_csr.pem
openssl x509 \
	-req \
	-in client/bob_csr.pem \
	-signkey client/bob_key.pem \
	-out client/bob_cert.pem \
	-days 365

Notes

Let's Encrypt is a "free, automated, and open" Certificate Authority
PEM: Privacy Enhanced Mail is a Base64 encoded DER certificate

OpenSSL commands

Command	Documentation	Description
`genrsa`	Docs	Generates an RSA private key
`req`	Docs	Primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
`x509`	Docs	The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings.

View all openssl commands →

agrippa1994 / nodejs-certificate-auth