Making Mutual SSL (mTLS) API Requests in Node.js

By -

Making Mutual SSL (mTLS) API Requests in Node.js



Mutual TLS (mTLS) is a common security requirement in enterprise environments. Unlike regular HTTPS (where only the server is authenticated), mTLS requires both the client and the server to authenticate each other using certificates.

This guide focuses on using Node.js as a client to call an API protected by mutual TLS. It also covers a very common real-world problem:

  • Your Ops or Security team gives you a .jks file
  • JKS is designed for Java / Spring Boot
  • Node.js needs .key, .crt, and .pem files instead

We’ll walk through converting the JKS file and using it in Node.js step by step.

What Files Does Node.js Need for Mutual TLS?

To make an mTLS request from Node.js, you typically need:

  • client.key – your private key
  • client.crt – your client certificate
  • ca.pem – the Certificate Authority (CA) chain to trust the server

These are passed to Node’s HTTPS agent.

Step 1: Convert JKS to PKCS12 (.p12)

Java applications often use JKS keystores. The first step is converting it to PKCS12, which OpenSSL can work with. 

keytool -importkeystore \
  -srckeystore your.jks \
  -srcstoretype JKS \
  -srcalias youralias \
  -destkeystore your.p12 \
  -deststoretype PKCS12

You’ll be prompted for the source and destination keystore passwords. After this step, you’ll have a .p12 file.

Step 2: Extract the Private Key

Extract the client private key from the PKCS12 file: 

openssl pkcs12 \
  -in your.p12 \
  -nocerts \
  -nodes \
  -out client.key

⚠️ Keep this file secure. Do not commit it to source control.

Step 3: Extract the Client Certificate

openssl pkcs12 \
  -in your.p12 \
  -clcerts \
  -nokeys \
  -out client.crt

This is the certificate presented to the server during the TLS handshake.

Step 4: Extract the CA Certificates

openssl pkcs12 \
  -in your.p12 \
  -cacerts \
  -nokeys \
  -out ca.pem

This file allows Node.js to verify the server’s certificate.

Step 5: Store Certificates Securely (OpenShift / Kubernetes)

In containerized environments, certificates are usually stored as secrets. Here’s how to generate a Kubernetes/OpenShift secret YAML without applying it directly: 

oc create secret generic mutual-tls-certs \
  --from-file=client.key \
  --from-file=client.crt \
  --from-file=ca.pem \
  --dry-run=client \
  -o yaml > mutual-tls-certs.yaml

This YAML can be safely committed and managed by GitOps tools such as Argo CD.

Step 6: Make an mTLS API Request in Node.js

volumeMounts:
- name: mutual-tls-certs
mountPath: /certs
readOnly: true
volumes:
- name: mutual-tls-certs
secret:
secretName: mutual-tls-certs
defaultMode: 0400

Once the files are available in your container or filesystem, you can configure an HTTPS agent: 

const https = require('https');
const fs = require('fs');

const httpsAgent = new https.Agent({
  key: fs.readFileSync('/certs/client.key'),
  cert: fs.readFileSync('/certs/client.crt'),
  ca: fs.readFileSync('/certs/ca.pem'),
  rejectUnauthorized: true,
});

Using axios: 

const axios = require('axios');

axios.get('https://secure-api.example.com', {
  httpsAgent,
}).then(response => {
  console.log(response.data);
}).catch(error => {
  console.error(error);
});

At this point, your Node.js app is successfully authenticating itself using mutual TLS.

Summary

  • Java teams usually provide certificates as .jks
  • Node.js requires .key, .crt, and .pem
  • Convert JKS → PKCS12 → individual files
  • Store certs securely using Kubernetes/OpenShift secrets
  • Use https.Agent to enable mTLS in Node.js

This approach works reliably across enterprise APIs and hybrid Java/Node.js environments.

In the next post, we’ll cover how to enable mutual TLS on a Node.js server and how clients authenticate against it.

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more