How to use SSL/TLS with Node.js ?

Last Updated : 03 Jan, 2023

TLS/SSL is used for establishing secure connections over the internet. Today, most websites use HTTPS to communicate with clients. HTTPS is basically HTTP running over TLS/SSL. Web clients like browsers alert users about websites that do not use HTTPS since such websites are vulnerable to cyber-attacks. As a result, people refrain from visiting such websites. Hence, we must make sure that our web application runs over HTTPS. To set up an HTTPS server, we need an SSL/TLS certificate. This article briefly describes how to use SSL/TLS with Node.js.

We will be building 2 simple express applications that run an HTTP server and an HTTPS server respectively. Import required modules and set up an HTTP server. We create a server.js file and add the following code to it.

server.js

Javascript

const express = require("express") 
const https = require("https") 
const http = require("http") 
const path = require("path") 
const fs = require("fs") 
const app = express() 
  
app.get("/", (req, res) => { 
    res.send("Hello geeks, I am running on http!") 
}) 
  
const httpServer = http.createServer(app) 
  
httpServer.listen(3000, () => { 
    console.log("HTTP server up and running on port 3000") 
})

Output: After executing the above code, we can head to localhost:3000 to view the application.

App using HTTP

The above application is not secure as it runs over plain HTTP. If we click on the symbol to the left of the URL we can see the following.

Generating a self-signed certificate: To generate a self-signed certificate we need the following –

Private Key
CSR (Certificate Signing Request)
TLS/SSL certificate

We will make use of OpenSSL https://www.geeksforgeeks.org/practical-uses-of-openssl-command-in-linux/?ref=gcse for creating the private key and the certificate. Make sure to execute the following commands as administrator.

Step 1: Create the private key.

openssl genrsa -out <location_of_private_key>

openssl genrsa -out D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\key.pem

This creates a 2048 bit private key using RSA algorithm.
-out -> this specifies the location where the generated private key will be stored

Private key generation

Step 2: Create the CSR

openssl req -new -key <private_key> -out <location_of_csr>

openssl req -new -key D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates
\key.pem -out D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\csr.pem

This command is primarily used for creating and processing certificate signing request (CSR).

-new -> It tells openssl to generate a new CSR.

-key -> It specifies the location of the private key. The private key is required to generate the

corresponding public key.

-out -> It is used to specify the location where the csr will be stored.

CSR generation

The CSR contains vital information that is required by the Certificate Authority as seen in the above image. It also includes the public key of your website/application that will be used to encrypt the data. However, the private key is not a part of the CSR.

Step 3: Create the SSL certificate

openssl x509 -req -days <validity_days> -in <csr_input> -signkey
 <private_key> -out <location_ssl_certificate>

openssl x509 -req -days 365 -in D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates
\csr.pem -signkey D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\key.pem
 -out D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\cert.pem

x509 specifies the digital certificate standard that is used in the public key infrastructure. 
It is a multi purpose certificate utility. In this scenario, we are using it 
to sign a certificate request.

-req -> By default this command expects a certificate as an input. 
With this flag, it expects a certificate signing request as an input.
-days -> Specifies the number of days for which the certificate will be valid.
-in -> specifies the input file (in this case it is the csr.pem file)
-signkey -> This option tells openssl to self sign the input file with
 the provided private key. (in this
 case it is the one we created earlier)
-out -> specifies the location of the generated certificate.

Certificate generation

Setting up an HTTPS server: While creating the HTTPS server we have to specify the private key and SSL/TLS certificate in the https.createServer() method. Again in the server.js file, we will add the following code.

Javascript

const tlsApp = express() 
  
tlsApp.get("/", (req, res) => { 
    res.send("Hello geeks, I am running on https!") 
}) 
  
const httpsServer = https.createServer( 
    { 
        key: fs.readFileSync(path.join(__dirname,  
            "certificates", "key.pem")), 
        cert: fs.readFileSync(path.join(__dirname, 
            "certificates", "cert.pem")), 
    }, 
    tlsApp 
) 
  
httpsServer.listen(3001, () => { 
    console.log("HTTPS server up and running on port 3001") 
})

Output: We can view the application on localhost:3001.

App using HTTPS

Although we have used SSL/TLS certificate, the browser still shows Not secure. The reason behind this is the fact that we created a self-signed certificate. Browsers like Google Chrome only trust certificates that are signed by certified certificate authorities like Let’s Encrypt, DigiCert, etc.