Description
We operate in a tightly controlled Zero Trust Policy network environment, where strict security controls are enforced across all network traffic and endpoints. As part of our infrastructure policy, we utilize a private npmjs mirror to handle package installations internally. This mirror is secured using TLS certificates issued by our organization's internal Certificate Authorities (CAs), which are managed centrally by our enterprise IT security team.
On Windows systems, these internal CA certificates are trusted by default and made available through the Windows Certificate Store (WCS). Applications that are properly integrated with the Windows Crypto API can seamlessly trust our internal CAs and therefore connect securely to internal services like our npm registry mirror without needing any manual intervention or custom configuration.
Unfortunately, npm (Node Package Manager) does not currently support reading trusted certificates directly from the Windows Certificate Store. Instead, it relies on Node.js's built-in certificate handling, which uses a static list of root certificates embedded in the Node.js binary. As a result, npm fails to trust our internal CA certificates unless we manually export them from WCS and reconfigure npm to use them.