Client certificates with Node.js on AWS
Aug 09, 2017
In this post, I'm going to share how I set up a Node.js server behind an AWS load balancer that can receive client certificates.
Background
For those not in the know, client certificates are used all over healthcare—they form the trust backbone of networks like DIRECT, Commonwell, and The Sequoia Project. In most places where APIs are consumed, there is only one certificate pair—the server certificate. Some magic called a "TLS Handshake" happens, and using only the one pair, all traffic is encrypted.
Client certificates add a second pair of certificates, and as you can imagine, they belong to the client. They present an older (but still relatively sane and secure) method authentication. The process goes something like this:
Some kind of manual exchange of the client certificate public key happens, and gets stored on the server application. This is usually done in the context of a phone call/e-mail conversation.
The client is configured to use said public key, and private key making requests to the server.
Incoming requests to the server need to be examined for the client certificate sent as part of the HTTPS request.
The server needs to look up the sender via the public key already on file.
The server needs to validate that the sender also has the private key, usually through the form of a signature.
Long story short, it's similar in complexity to an OAuth style API authentication scheme, but relies on two organizations having a trust relationship ahead of time to share a public key.
Setting up a test environment
To test https with client certificates, you'll need a client that supports it.
The desktop (non-chrome) version of postman supports them, or you can write a really basic node application like this one to test: