Posts

Showing posts with the label mTLS

Debugging Node.js mTLS Client: “Self-signed certificate in certificate chain”

By -
Image
Debugging Node.js mTLS Client: “Self-signed certificate in certificate chain” When making an API request from a Node.js client to a server that enforces mutual TLS (mTLS) , you might encounter this error: [cause]: Error: self-signed certificate in certificate chain at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34) at TLSSocket.emit (node:events:518:28) at TLSSocket._finishInit (node:_tls_wrap:1078:8) at ssl.onhandshakedone (node:_tls_wrap:864:12) { code: 'SELF_SIGNED_CERT_IN_CHAIN' } Understanding the Issue This error typically occurs when the client cannot fully verify the server’s certificate chain. In mTLS, both client and server need to trust each other’s root CA certificates. If any root in the chain is missing from the client’s CA bundle, the handshake fails. Step 1: Inspect the Server Certificate Chain You can use OpenSSL to see the full server chain: openssl s_client -connect server.example.com:443 -showcerts This will display all ce...
Post a Comment
Read more

Using Mutual TLS (mTLS) in Next.js (Server-Side Only)

By -
Image
Using Mutual TLS (mTLS) in Next.js (Server-Side Only) In the previous posts, we covered: Part 1: Making mTLS API requests from Node.js clients Part 2: Enabling mTLS in Node.js servers Now we focus on Next.js applications and how mTLS works depending on deployment. Next.js Cannot Access TLS Handshake Directly Next.js middleware and API routes run after the TLS handshake They cannot see client certificates or verify them Next.js built-in server does not expose Node's HTTPS options like requestCert In short: Next.js middleware cannot enforce mTLS or access TLS handshake details . Any enforcement must happen before the request reaches Next.js. Next.js as an mTLS Client (Server-Side API Calls) Next.js can securely call mTLS-protected APIs from server-side code, such as: API routes Server actions import fs from 'fs'; import https from 'https'; import axios from 'axios'; export async function GET(req) { const...
Post a Comment
Read more

Making Mutual SSL (mTLS) API Requests in Node.js

By -
Image
Making Mutual SSL (mTLS) API Requests in Node.js Mutual TLS (mTLS) is a common security requirement in enterprise environments. Unlike regular HTTPS (where only the server is authenticated), mTLS requires both the client and the server to authenticate each other using certificates. This guide focuses on using Node.js as a client to call an API protected by mutual TLS. It also covers a very common real-world problem: Your Ops or Security team gives you a .jks file JKS is designed for Java / Spring Boot Node.js needs .key , .crt , and .pem files instead We’ll walk through converting the JKS file and using it in Node.js step by step. What Files Does Node.js Need for Mutual TLS? To make an mTLS request from Node.js, you typically need: client.key – your private key client.crt – your client certificate ca.pem – the Certificate Authority (CA) chain to trust the server These are passed to Node’s HTTPS agent. Step 1: Convert JKS to PKCS12 (...
Post a Comment
Read more