(Node.js) Examine Client Certificates for an Accepted TLS Connection

Demonstrates how to access the client certificates for a TLS connection accepted by your application acting as the server.

Install Chilkat for Node.js and Electron using npm at Chilkat npm packages for Node.js Chilkat npm packages for Electron on Windows, Linux, MacOS

var os = require('os');
if (os.platform() == 'win32') {  
  var chilkat = require('@chilkat/ck-node23-win64'); 
} else if (os.platform() == 'linux') {
    if (os.arch() == 'arm') {
        var chilkat = require('@chilkat/ck-node23-linux-arm');
    } else if (os.arch() == 'arm64') {
        var chilkat = require('@chilkat/ck-node23-linux-arm64');
    } else {
        var chilkat = require('@chilkat/ck-node23-linux-x64');
    }
} else if (os.platform() == 'darwin') {
  var chilkat = require('@chilkat/ck-node23-mac-universal');
}

function chilkatExample() {

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    var listenSslSocket = new chilkat.Socket();

    // An SSL/TLS server needs a digital certificate.  This example loads it from a PFX file.
    // This is the server's certificate.

    var cert = new chilkat.Cert();
    var success = cert.LoadPfxFile("qa_data/serverCert/myServerCert.pfx","pfx_password");
    if (success !== true) {
        console.log(cert.LastErrorText);
        return;
    }

    // To accept client client certificates in the TLS handshake,
    // we must indicate a list of acceptable client certificate root CA DN's
    // that are allowed.  (DN is an acronym for Distinguished Name.)
    // Call AddSslAcceptableClientCaDn once for each acceptable CA DN.
    // Here are a few examples so you can see the general format of a DN.
    listenSslSocket.AddSslAcceptableClientCaDn("C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root");
    listenSslSocket.AddSslAcceptableClientCaDn("O=Digital Signature Trust Co., CN=DST Root CA X3");

    // Initialize with our server's TLS certificate.
    success = listenSslSocket.InitSslServer(cert);
    if (success !== true) {
        console.log(listenSslSocket.LastErrorText);
        return;
    }

    // Bind and listen on a port:
    var myPort = 8123;
    // Allow for a max of 5 queued connect requests.
    var backLog = 5;
    success = listenSslSocket.BindAndListen(myPort,backLog);
    if (success !== true) {
        console.log(listenSslSocket.LastErrorText);
        return;
    }

    // Accept the next incoming connection.
    var maxWaitMillisec = 20000;
    // clientSock: Socket
    var clientSock = listenSslSocket.AcceptNextConnection(maxWaitMillisec);
    if (listenSslSocket.LastMethodSuccess == false) {
        console.log(listenSslSocket.LastErrorText);
        return;
    }

    // Examine the client certs chain.  The 1st cert will be the client certificate, and
    // the subsequent certs will be the certs in the chain of authentication.
    var numClientCerts = clientSock.NumReceivedClientCerts;
    console.log("numClientCerts = " + numClientCerts);

    var i = 0;
    while (i < numClientCerts) {
        // clientCert: Cert
        var clientCert = clientSock.GetReceivedClientCert(i);
        console.log(clientCert.SubjectDN);

        i = i+1;
    }

    // Close the connection with the client
    success = clientSock.Close(1000);


}

chilkatExample();