@jsenv/https-local v3.0.7

https local

A programmatic way to generate locally trusted certificates.

Generate certificate(s) trusted by your operating system and browsers. This certificate can be used to start your development server in HTTPS. Works on mac, linux and windows.

How to use

1 - Install @jsenv/https-local

npm install --save-dev @jsenv/https-local

2 - Create install_certificate_authority.mjs

/*
 * This file needs to be executed once.
 * After that the root certificate is valid for 20 years.
 * Re-executing this file will log the current root certificate validity and trust status.
 * Re-executing this file 20 years later would reinstall a root certificate and re-trust it.
 *
 * Read more in https://github.com/jsenv/https-local#installCertificateAuthority
 */

import {
  installCertificateAuthority,
  verifyHostsFile,
} from "@jsenv/https-local"

await installCertificateAuthority({
  tryToTrust: true,
  NSSDynamicInstall: true,
})
await verifyHostsFile({
  ipMappings: {
    "127.0.0.1": ["localhost"],
  },
  tryToUpdatesHostsFile: true,
})

3 - Run with node

node ./install_certificate_authority.mjs

4 - Create start_dev_server.mjs

/*
 * This file uses "@jsenv/https-local" to obtain a certificate used to start a server in https.
 * The certificate is valid for 1 year (396 days) and is issued by a certificate authority trusted on this machine.
 * If the certificate authority was not installed before executing this file, an error is thrown
 * explaining that certificate authority must be installed first.
 *
 * To install the certificate authority, you can use the following command
 *
 * > node ./install_certificate_authority.mjs
 *
 * Read more in https://github.com/jsenv/https-local#requestCertificate
 */

import { createServer } from "node:https"
import { requestCertificate } from "@jsenv/https-local"

const { certificate, privateKey } = requestCertificate()

const server = createServer(
  {
    cert: certificate,
    key: privateKey,
  },
  (request, response) => {
    const body = "Hello world"
    response.writeHead(200, {
      "content-type": "text/plain",
      "content-length": Buffer.byteLength(body),
    })
    response.write(body)
    response.end()
  },
)
server.listen(8080)
console.log(`Server listening at https://local.example:8080`)

5 - Start server with node

node ./start_dev_server.mjs

At this stage you have a server running in https. The rest of this documentation goes into more details.

Certificate expiration

The server certificate expires after one year which is the maximum duration allowed by web browsers. In the unlikely scenario where a local server is running for more than a year without interruption, restart it to re-run requestCertificate.

The authority root certificate expires after 20 years which is close to the maximum allowed duration. In the very unlikely scenario where you are using the same machine for more than 20 years, re-execute installCertificateAuthority to update certificate authority then restart your server.

installCertificateAuthority

installCertificateAuthority function generates a certificate authority valid for 20 years. This certificate authority is needed to generate local certificates that will be trusted by the operating system and web browsers.

import { installCertificateAuthority } from "@jsenv/https-local"

await installCertificateAuthority()

By default, trusting authority root certificate is a manual process. This manual process is documented in BenMorel/dev-certificates#Import the CA in your browser. This process can be done programmatically as explained in Auto trust.

Find below logs written in terminal when this function is executed.

> node ./install_certificate_authority.mjs

ℹ authority root certificate not found in filesystem
Generating authority root certificate with a validity of 20 years...
✔ authority root certificate written at /Users/dmail/https_local/http_local_root_certificate.crt
ℹ You should add root certificate to mac keychain
ℹ You should add root certificate to firefox

second execution logs

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is in mac keychain...
ℹ certificate not found in mac keychain
Check if certificate is in firefox...
ℹ certificate not found in firefox

> node ./install_certificate_authority.mjs

ℹ authority root certificate not found in filesystem
Generating authority root certificate with a validity of 20 years...
✔ authority root certificate written at /home/dmail/.config/https_local/https_local_root_certificate.crt
ℹ You should add certificate to linux
ℹ You should add certificate to chrome
ℹ You should add certificate to firefox

second execution logs

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is in linux...
ℹ certificate in linux is outdated
Check if certificate is in chrome...
ℹ certificate not found in chrome
Check if certificate is in firefox...
ℹ certificate not found in firefox

> node ./install_certificate_authority.mjs

ℹ authority root certificate not found in filesystem
Generating authority root certificate with a validity of 20 years...
✔ authority root certificate written at C:\Users\Dmail\AppData\Local\https_local\https_local_root_certificate.crt
ℹ You should add certificate to windows
ℹ You should add certificate to firefox

second execution logs

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is trusted by windows...
ℹ certificate is not trusted by windows
Check if certificate is trusted by firefox...
ℹ unable to detect if certificate is trusted by firefox (not implemented on windows)

Auto trust

It's possible to trust root certificate programmatically using tryToTrust

import { installCertificateAuthority } from "@jsenv/https-local"

await installCertificateAuthority({
  tryToTrust: true,
})

> node ./install_certificate_authority.mjs

ℹ authority root certificate not found in filesystem
Generating authority root certificate with a validity of 20 years...
✔ authority root certificate written at /Users/dmail/https_local/https_local_root_certificate.crt
Adding certificate to mac keychain...
❯ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "/Users/dmail/https_local/https_local_root_certificate.crt"
Password:
✔ certificate added to mac keychain
Adding certificate to firefox...
✔ certificate added to Firefox

second execution logs

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is in mac keychain...
✔ certificate found in mac keychain
Check if certificate is in Firefox...
✔ certificate found in Firefox

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is in linux...
ℹ certificate not in linux
Adding certificate to linux...
❯ sudo /bin/cp -f "/home/dmail/.config/https_local/https_local_root_certificate.crt" /usr/local/share/ca-certificates/https_local_root_certificate.crt
[sudo] Password for dmail :
❯ sudo update-ca-certificates
✔ certificate added to linux
Check if certificate is in chrome...
ℹ certificate not found in chrome
Adding certificate to chrome...
✔ certificate added to chrome
Check if certificate is in firefox...
ℹ certificate not found in firefox
Adding certificate to firefox...
✔ certificate added to firefox

second execution logs

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is in linux...
✔ certificate found in linux
Check if certificate is in chrome...
✔ certificate found in chrome
Check if certificate is in firefox...
✔ certificate found in firefox

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is trusted by windows...
ℹ certificate not trusted by windows
Adding certificate to windows...
❯ certutil -addstore -user root C:\Users\Dmail\AppData\Local\https_local\https_local_root_certificate.crt
✔ certificate added to windows
Check if certificate is trusted by firefox...
ℹ unable to detect if certificate is trusted by firefox (not implemented on windows)

second execution logs

> node ./install_certificate_authority.mjs

✔ authority root certificate found in filesystem
Checking certificate validity...
✔ certificate still valid for 19 years
Detect if certificate attributes have changed...
✔ certificate attributes are the same
Check if certificate is trusted by windows...
✔ certificate trusted by windows
Check if certificate is trusted by firefox...
ℹ unable to detect if certificate is trusted by firefox (not implemented on windows)

requestCertificate

requestCertificate function returns a certificate and private key that can be used to start a server in HTTPS.

import { createServer } from "node:https"
import { requestCertificate } from "@jsenv/https-local"

const { certificate, privateKey } = requestCertificate({
  altNames: ["localhost", "local.example"],
})

installCertificateAuthority must be called before this function.

verifyHostsFile

This function is not mandatory to obtain the https certificates. But it is useful to programmatically verify ip mappings that are important for your local server are present in hosts file.

import { verifyHostsFile } from "@jsenv/https-local"

await verifyHostsFile({
  ipMappings: {
    "127.0.0.1": ["localhost", "local.example"],
  },
})

Find below logs written in terminal when this function is executed.

> node ./verify_hosts.mjs

Check hosts file content...
⚠ 1 mapping is missing in hosts file
--- hosts file path ---
/etc/hosts
--- line(s) to add ---
127.0.0.1 localhost local.example

> node ./verify_hosts.mjs

Check hosts file content...
⚠ 1 mapping is missing in hosts file
--- hosts file path ---
C:\\Windows\\System32\\Drivers\\etc\\hosts
--- line(s) to add ---
127.0.0.1 localhost local.example

Auto update hosts

It's possible to update hosts file programmatically using tryToUpdateHostsFile.

import { verifyHostsFile } from "@jsenv/https-local"

await verifyHostsFile({
  ipMappings: {
    "127.0.0.1": ["localhost", "local.example"],
  },
  tryToUpdateHostsFile: true,
})

Check hosts file content...
ℹ 1 mapping is missing in hosts file
Adding 1 mapping(s) in hosts file...
❯ echo "127.0.0.1 local.example" | sudo tee -a /etc/hosts
Password:
✔ mappings added to hosts file

Second execution logs

> node ./verify_hosts.mjs

Check hosts file content...
✔ all ip mappings found in hosts file

Check hosts file content...
ℹ 1 mapping is missing in hosts file
Adding 1 mapping(s) in hosts file...
❯ (echo 127.0.0.1 local.example) >> C:\\Windows\\System32\\Drivers\\etc\\hosts
Password:
✔ mappings added to hosts file

Second execution logs

> node ./verify_hosts.mjs

Check hosts file content...
✔ all ip mappings found in hosts file