Skip to content

doc: clarify --use-system-ca support status #60340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+10 −10
Open

doc: clarify --use-system-ca support status #60340

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions doc/api/cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3148,21 +3148,18 @@ On platforms other than Windows and macOS, this loads certificates from the dire
and file trusted by OpenSSL, similar to `--use-openssl-ca`, with the difference being
that it caches the certificates after first load.

On Windows and macOS, the certificate trust policy is planned to follow
[Chromium's policy for locally trusted certificates][]:
On Windows and macOS, the certificate trust policy is similar to
[Chromium's policy for locally trusted certificates][], but with some differences:

On macOS, the following settings are respected:

* Default and System Keychains
* Trust:
* Any certificate where the “When using this certificate” flag is set to “Always Trust” or
* Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Always Trust.”
* Distrust:
* Any certificate where the “When using this certificate” flag is set to “Never Trust” or
* Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Never Trust.”
* Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Always Trust”.
* The certificate must also be valid, with "X.509 Basic Policy" set to “Always Trust”.

On Windows, the following settings are respected (unlike Chromium's policy, distrust
and intermediate CA are not currently supported):
On Windows, the following settings are respected:

* Local Machine (accessed via `certlm.msc`)
* Trust:
Expand All @@ -3177,8 +3174,11 @@ and intermediate CA are not currently supported):
* Trusted Root Certification Authorities
* Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities

On Windows and macOS, Node.js would check that the user settings for the certificates
do not forbid them for TLS server authentication before using them.
On Windows and macOS, Node.js would check that the user settings for the trusted
certificates do not forbid them for TLS server authentication before using them.

Node.js currently does not support distrust/revocation of certificates
from another source based on system settings.

On other systems, Node.js loads certificates from the default certificate file
(typically `/etc/ssl/cert.pem`) and default certificate directory (typically
Expand Down
Loading