如何在node.js中将非CA SSL证书用作根证书？

Question

So I want to have a non-CA certificate as root certificate in an TLS connection in node.js. However the certificate always seems to be considered a CA.

I am generating the root certificate with

openssl req -new -nodes -subj "/CN=ClientName1" -keyout client-key.pem -out client-csr.pem
openssl x509 -req -signkey client-key.pem -in client-csr.pem -out client-cert.pem -extfile v3.ext

(analogous for the server)

and a test-certificate like this

openssl req -new -nodes -subj "/CN=ClientName2" -keyout client-key2.pem -out client-csr2.pem
openssl x509 -req -in client-csr2.pem -out client-cert2.pem -extfile v3.ext -CA client-cert.pem -CAkey client-key.pem -CAcreateserial

with v3.ext being

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE

Now the server accepts client-cert as well as client-cert2, however if I generate a third (client-cert3) signed by client-cert2, the server does not accept it. So the root certificate appears to be considered a CA no matter what. Is there a way around it without purposely generating a throwaway dummy root certificate which is only used to sign that one single client-cert?

I am using it like this:

var options = {
    key: fs.readFileSync('server-key.pem'),
    cert: fs.readFileSync('server-cert.pem'),

    requestCert: true,
    rejectUnauthorized: true,

    ca: [fs.readFileSync('client-cert.pem')], 

    port: 15151 
};

var server = tls.createServer(options, function (socket) {});

PS Also when testing to use client-cert2.pem as root, the server does not accept clients using client-cert2, nor client-cert3, nor client-cert.

Answer 1

Anything which is used to sign another certificate must have the appropriate key usage restrictions. If the the usage restrictions do not allow a certificate to work as a CA you cannot work around it because validation of the certificate chain is done by the client and not by the server.