Creating an HTTPS Server with Node.js using a Self-Signed Certificate

Photo by Kelvin Ang on Unsplash

If you have a Node.js web server running over HTTP, you may want to enable HTTPS so that data exchanged over network is encrypted. To do this, you need an SSL certificate. In this post, we’re going to talk about how to generate a self-signed certificate in two different ways:

• Use pem to create certificates programmatically
• Use Azure Key Vault to create certificates and store them in key vault

If you’re not familiar with public keys, private keys and SSL certificates, this post provides an excellent explanation about them.

Using pem

pem is an npm package that allows easily creating self-signed certificates in PEM format.

To install pem with npm:

npm install pem

Here’s a simple Express app that creates an HTTPS server at port 443:

Remember to install OpenSSL on your operating system and add it to PATH environment variable. Otherwise, pem will throw a runtime error.

For further details, you can take a look at pem’s API docs.

Using Azure Key Vault

If you want to have more control over the self-signed certificates or simply store them securely, Azure Key Vault is a better choice. Some benefits of using Azure Key Vault are:

• Certificates can be created either at deployment time (using Azure CLI/Terraform) or runtime (using Azure SDKs for Node.js).
• Access control for certificates is managed by Key Vault. For example, you can easily grant or revoke read permission of a specific app.
• Support automatic renewal so there is no need to worry about certificates expiring.
• Easy to swap between self-signed certificates and ones from public certificate authorities, without changing code, since they’re stored in Key Vault.

Generating a self-signed certificate with Terraform:

Notes:

- certificate_permissions: required for Key Vault to create and read certificates.

- secret_properties: content_type needs to be application/x-pem-file if you want PEM format.

Generating a self-signed certificate with Azure CLI:

// Using default policy
az keyvault certificate create --vault-name vaultname -n defaultcert -p "$(az keyvault certificate get-default-policy)"
// Using custom policy
az keyvault certificate create --vault-name vaultname -n customcert -p @policy.json

Details about policy.json file can be found here.

Reading certificates from Azure Key Vault

Since azure-keyvault npm package has been deprecated, in this section we’re going to use @azure/keyvault-certificates and @azure/keyvault-secrets to retrieve the self-signed certificate created in the previous step. If you wonder why we need both packages, here’s the answer:

• @azure/keyvault-certificates: can only list certificates and provide their metadata. It’s not possible to read them in PEM format and they don’t contain private keys.
• @azure/keyvault-secrets: provides certificates and private keys in PEM format but requires a secret name, which can be retrieved using @azure/keyvault-certificates.

To install with npm:

npm install @azure/keyvault-certificates
npm install @azure/keyvault-secrets
npm install @azure/identity

@azure/identity is required to authenticate against Azure Active Directory.

In the following sample code, getCertificateFromKeyVault method will attempt to retrieve the first certificate available in Key Vault:

The returned value pem.value contains both certificate and private key so you can use them to create an HTTPS server as shown below:

References

• SSL and SSL Certificates Explained For Beginners
• pem’s API Docs
• Terraform — Azure Key Vault
• azure-sdk-for-js