ssl-certificate-chain

v1.0.3

Published

4 months ago

A nodejs module for downloading a SSL certificate chain from a website

Downloads

0High
0Medium
0Low

This project was created in response to an issue I encountered with a legacy Nodejs v14.x application. Recently, I needed to make a modification to allow it to connect to a server with a HTTPS certificate signed issued by Sectigo (formerly known as Comodo), who recently changed their public root CA certificates.

Node v14.x does not include Sectigo's new root CA certificate, so Nodejs was throwing a UNABLE_TO_GET_ISSUER_CERT_LOCALLY error when it attempted to connect to the server.

The server certificate itself contained a reference (via the 'CA Issuers' field # 1.3.6.1.5.5.7.48.2) to the certificate of the intermediate issuer ("Sectigo Public Server Authentication CA DV R36"), which itself contained a similar reference to the root CA certificate ("Sectigo Public Server Authentication Root R46"). The problem was that the certificates were encoded in a p7c (pkcs7) format, nodejs didn't seem to accept it, and it was tricky to find the right tool to convert it.

This tool was a simple attempt to build the PEM file necessary to get Nodejs to trust a particular CA certificate, without completely disabling certificate verification.

NOTE: Alternative: If you just want Node to use an updated CA store, you can use a script from the curl project to download the latest certdata.txt from the source tree for Mozilla Firefox, and convert it into a PEM format.

Download the mk_ca_bundle.pl perl script from the curl project :

curl -L -O https://raw.githubusercontent.com/curl/curl/refs/heads/master/scripts/mk-ca-bundle.pl
chmod 755 mk-ca-bundle.pl
./mk-ca-bundle.pl ca-bundle.crt

Start node with the NODE_EXTRA_CA_CERTS=... environment variable set to the path to the ca-bundle.crt file e.g.:

NODE_EXTRA_CA_CERTS=./ca-bundle.crt node check.js

Built With

Getting Started

(NB: requires nodejs):

mkdir temp && cd temp
npm init -y && npm i ck-node24-wrapper ssl-certificate-chain && ./node_modules/.bin/ck-install   
npx ssl-certificate-chain <url>

Prerequisites

nodejs > v24.x needs to be installed

Example

Without `ssl-certificate-chain`:

check.js :

  const https = require('https')
  // const fs = require('fs');
  const options = {
    hostname: 'mt.com',
    port: 443,
    path: '/',
    method: 'GET',
    // Necessary self-signed certificate.
    //ca: [ fs.readFileSync('/usr/local/share/ca-certificates/SSL_CA.crt') ]
  }

    https.get(options, (res) => {
    console.log('statusCode:', res.statusCode);
    console.log('headers:', res.headers);
  }).on('error', (e) => {
    console.error(e);
  });

Running check.js in Node v14.x will throw an error if the issuing certificate for the server is not available locally:

$ nvm use v14 ; # use node v14 to exhibit the issue
$ node check.js
Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)
    at TLSSocket.emit (events.js:400:28)
    at TLSSocket._finishInit (_tls_wrap.js:937:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12) {
  code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}

With `ssl-certificate-chain`:

(Note: replace mt.com with your own domain name)

Download issuer the certificate chain for mt.com into mt.com.pem, (using the -s flag to exclude the certificate for mt.com itself)

$ nvm use v24 ; # node v24 is required for `ssl-certificate-chain`
$ npx ssl-certificate-chain https://mt.com -o mt.com.pem -s
$ ls output
mt.com.pem

$ cat output/mt.com.pem

Run check.js in Node v14.x again, this time with the NODE_EXTRA_CA_CERTS environment variable set to the path to the certificate file. The error should now be fixed, and check.js outputs the http headers:

$ nvm use v14 ; # use node v14 to exhibit the issue
$ NODE_EXTRA_CA_CERTS=./output/mt.com.pem node check.js
statusCode: 301
headers: {
  date: 'Thu, 21 Aug 2025 14:44:38 GMT',
  location: 'https://www.mt.com/',
  'content-length': '323',
  connection: 'close',
  'content-type': 'text/html; charset=iso-8859-1',
  'set-cookie': [
    'cookiesession1=678B28D06B4D857D508F5DAB8D0C80DD;Expires=Fri, 21 Aug 2026 14:44:31 GMT;Path=/;HttpOnly'
  ],
  'strict-transport-security': 'max-age=15552000'
}

(the status code of 301 is just because this particular server returns a redirect; the fact that we received HTTP headers at all indicates that the SSL connection is working).

Usage

Command-Line usage

npx ssl-certificate-chain <url> [-p port] [-o outputFile] [-d outputDir] [-s skipWebsiteCert]

Where:

<url>: The URL to fetch the certificate chain from
[-p port]: The port to connect to (default: 443)
[-o outputFile]: The output file to write the certificate chain to (default: chain.pem)
[-d outputDir]: The output folder to write the certificate chain to (default: ${CWD}/output/)
[-s skipWebsiteCert]: Skip outputting the SSL certificate obtained from the URL specified by <url> This is useful if you want to use the rest of the chain to explicitly trust the server certificate e.g. to use it as a NODE_EXTRA_CA_CERTS environment variable to nodejs, in order to workaround a UNABLE_TO_GET_ISSUER_CERT_LOCALLY error. (default: false). Typically, the issuing certificates will have a much longer expiration date than the certificate for the website itself.

Example - Command-Line Usage

Download the certificate chain for https://example.com to ./output/example.com.pem:

npx ssl-certificate-chain https://example.com -d output -o example.com.pem

API Usage

import { sslCertificateChain } from "ssl-certificate-chain";

await sslCertificateChain({ url, port, outputFile, skipWebsiteCert, outputDir });

See command-line usage for parameter details

Roadmap

See the open issues for a full list of proposed features (and known issues).

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

Fork the Project
Create your Feature Branch (git checkout -b feature/AmazingFeature)
Commit your Changes (git commit -m 'Add some AmazingFeature')
Push to the Branch (git push origin feature/AmazingFeature)
Open a Pull Request

Top contributors

License

Distributed under the MIT license. See LICENSE.txt for more information.

Project Link: https://github.com/cunneen/ssl-certificate-chain

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme