◐ Shell
clean mode source ↗

doc: clarify --use-system-ca support status · nodejs/node@ca39540

@@ -3142,21 +3142,18 @@ On platforms other than Windows and macOS, this loads certificates from the dire

31423142

and file trusted by OpenSSL, similar to `--use-openssl-ca`, with the difference being

31433143

that it caches the certificates after first load.

314431443145-

On Windows and macOS, the certificate trust policy is planned to follow

3146-

[Chromium's policy for locally trusted certificates][]:

3145+

On Windows and macOS, the certificate trust policy is similar to

3146+

[Chromium's policy for locally trusted certificates][], but with some differences:

3147314731483148

On macOS, the following settings are respected:

3149314931503150

* Default and System Keychains

31513151

* Trust:

31523152

* Any certificate where the “When using this certificate” flag is set to “Always Trust” or

3153-

* Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Always Trust.”

3154-

* Distrust:

3155-

* Any certificate where the “When using this certificate” flag is set to “Never Trust” or

3156-

* Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Never Trust.”

3153+

* Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Always Trust”.

3154+

* The certificate must also be valid, with "X.509 Basic Policy" set to “Always Trust”.

315731553158-

On Windows, the following settings are respected (unlike Chromium's policy, distrust

3159-

and intermediate CA are not currently supported):

3156+

On Windows, the following settings are respected:

3160315731613158

* Local Machine (accessed via `certlm.msc`)

31623159

* Trust:

@@ -3171,8 +3168,11 @@ and intermediate CA are not currently supported):

31713168

* Trusted Root Certification Authorities

31723169

* Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities

317331703174-

On Windows and macOS, Node.js would check that the user settings for the certificates

3175-

do not forbid them for TLS server authentication before using them.

3171+

On Windows and macOS, Node.js would check that the user settings for the trusted

3172+

certificates do not forbid them for TLS server authentication before using them.

3173+3174+

Node.js currently does not support distrust/revocation of certificates

3175+

from another source based on system settings.

3176317631773177

On other systems, Node.js loads certificates from the default certificate file

31783178

(typically `/etc/ssl/cert.pem`) and default certificate directory (typically