Skip to content
io.js/node.js zero-config HTTPS server example (complete with bogus TLS/SSL 2048-bit RSA certs)
Branch: master
Clone or download
Latest commit a82ca55 Aug 10, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin use sha256 certs Jul 13, 2015
certs use sha256 certs Jul 13, 2015
public clarify Feb 3, 2015
.gitignore Initial commit Jan 28, 2015
LICENSE Initial commit Jan 28, 2015 update Aug 10, 2018
app.js clarify Feb 3, 2015
package.json support npm start command Nov 7, 2015
serve.js fix bug overwriting `ip` Nov 13, 2015

Update: Just use Greenlock

Greenlock for Express.js - Certificates issued via Let's Encrypt

HTTPS 2048-bit RSA TLS/SSL Cert Example

This is targeted towards people who are using io.js / node.js, but as far as generating and testing certs, these are the exact same openssl commands you'd use with any language.



See the full article at How to create a Certificate Signing Request (CSR) for HTTPS (TLS/SSL) RSA PEMs

Zero-Config Example

Clone and run - it's that easy.

  1. Clone the Example

git clone

pushd nodejs-ssl-example

npm install
node ./serve.js 8043 4080
  1. Go to

Then visit

Note that will redirect to https.

Note: This points to your localhost but since it's very difficult to develop, especially with HTTPS, with, localhost, or file://, I maintain and for examples such as this one.

Note: Your browser will warn you that you the server is using a bogus certificate authority. That's okay for the purposes of this example.

Special Notes

The key to this example is that the certs are not self-signed root certificates. Using self-signed root certs is the stupidest thing that anyone ever tried to do in a browser.

Instead, the self-signed Root CA is used to sign the certificate that the browser / other http client will use. That's why this example works where others fail. It doesn't violate the rules for Root certs.

If only the world knew that all you have to do to fix Self-Signed Certificate errors is to create one additional certificate and serve that instead of the root...

Full Article

See the full article at How to create a Certificate Signing Request (CSR) for HTTPS (TLS/SSL) RSA PEMs

SSL Warnings

This example uses dummy SSL certificates that are not recognized by your browser.

There's nothing wrong with the example. The browser security warnings are normal. It's simply your browser letting you know that these certificates are not from a recognized vendor.

If you deploy your "real" app publicly you should swap them with your own certificates.

TODO: During Summer 2015 Mozilla will make basic SSL certificates available to all web hosts for free be (see Let's Encrypt). Someone remind me to come back and update the instructions for the free certificates if this notice is still here in August.

Other SSL Resources

Zero-Config clone 'n' run (tm) Repos:


You can’t perform that action at this time.