`tls.getCACertificates("default")` always returns an empty list when using `--use-openssl-ca` · Issue #64258 · nodejs/node · GitHub
Skip to content

tls.getCACertificates("default") always returns an empty list when using --use-openssl-ca #64258

Description

@jvmdc

Version

v26.4.0

Platform

Linux jvm1 6.17.0-1025-oem #25-Ubuntu SMP PREEMPT_DYNAMIC Fri May 29 12:11:29 UTC 2026 x86_64 GNU/Linux

Subsystem

tls

What steps will reproduce the bug?

  1. Run NODE_OPTIONS="--use-openssl-ca" node -e 'console.log("Default certificates:", tls.getCACertificates("default")); fetch("https://example.org").then(rsp => console.log("HTTP status code:", rsp.status));'

Its output (provided your default OpenSSL certs are fairly standard) will be:

Default certificates: []
HTTP status code: 200

As can be seen, the request to https://example.org succeeds despite us having no default certificates according to tls.getCACertificates("default")

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

I would expect tls.getCACertificates("default") to return the certificates provided by OpenSSL that NodeJS uses to verify the certificate chain. I expect this since the documentation for the "default" type in tls.getCACertificates states: "return the CA certificates that will be used by the Node.js TLS clients by default".

What do you see instead?

An empty array

Additional information

Invoking tls.setDefaultCACertificates([]) and fetching https://example.org afterwards does cause UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions