How to send ssl certificate chain to client

Question

I've created Nodejs Websocket server or Python based one. How to send certificate chain to the WebSocket browser client so that connection becomes trusted?

I've described this problem here . I see in the example codes the server are using two certificates - key and the public ones. However "ca-bundle" file isn't being used in both the examples. In Apache webserver however it uses all three certificates.

Answer 1

Apache has separate configuration options for a file containing the server's endpoint cert, which it reads from the pathname defined by SSLCertificateFile , and for a file containing intermediate cert chain, which it reads from the pathname defined by SSLCertificateChainFile .

Python wants the endpoint and intermediate certs to be collected together in a single file, with the server's endpoint cert appearing as the first cert in that file and the intermediate certs following afterwards. The pathname of that file should be passed as the certfile argument to ssl.wrap_socket() or ssl.SSLContext.load_cert_chain() , or to whatever higher-level API you're using to construct your HTTPS server. You can construct this single combined file for Python by simply pasting together the content of the two Apache files.

Node.js wants the endpoint and intermediate certs to be collected together as a single string, with the server's endpoint cert appearing as the first cert in that string and the intermediate certs following afterwards — which is the same order as Python wants them. This string is passed as the cert member of the options argument to https.createServer() , or to whatever other API you are using to construct your HTTPS server. It's up to you to construct the certificate string. Your program could do that by reading the certs from the two separate files that Apache uses and then joining the strings together, or it could read them all in one go from the single combined endpoint+intermediate file that you created for use by Python.