Walkthrough: Configuring Sitecore CA certificates for Node.js

Current version: 21.6

In local environments, Sitecore instances are installed using privately signed certificates. However, these are rejected by Node.js since their root CAs are not known. From Node.js 7.3.0 and onwards, it is possible to add well-known extra certificates to Node.js with a NODE_EXTRA_CA_CERTS environment variable.

If you do not have privately signed certificates configured correctly, you will see errors with the code UNABLE_TO_VERIFY_LEAF_SIGNATURE when running your JSS application. For example:

Error: unable to verify the first certificate
 type: 'system',
Error occurred while trying to proxy request /sitecore/api/layout/render/jss?item=%2F&sc_apikey={A6AAE4C9-EEFF-4728-BDCB-80292FDB16EC} 
from localhost:3000 to <https://cm.localhost> (UNABLE_TO_VERIFY_LEAF_SIGNATURE)

This walkthrough guides you through the required steps for configuring Node.js to accept privately signed SSL certificates:

  • If you are using Sitecore Containers, identify the certificate file used by your Sitecore instance.

  • Provide the certificates to the Node.js environment.

Identify the certificate file used in your Sitecore Containers instance

For Docker-based Sitecore containers, the certificate file was created by mkcert during the project setup.

To find the certificate location, in a terminal, in the root directory of your project, run the following command:

mkcert -CAROOT

The certificate is in PEM format and is called rootCA.pem by default. Your file path will look something like C:\Users\<username>\AppData\Local\mkcert\rootCA.pem.

Provide the certificates to the Node.js environment

To include your certificates in the Node.js environment, you must add them to the well-known root certificates of Node.js.


Adding it to a .env file and using the dotenv library does not work because environment variables defined this way are loaded too late for Node.js to recognize.

To provide the certificates, you have several options, all using the NODE_EXTRA_CA_CERTS:

  • In the local or system environment run the command:

    setx NODE_EXTRA_CA_CERTS <file>

    To set the certificates for the entire system use the optional /m parameter.

    Restart the terminal or the code editor for the change to take effect.

  • In a PowerShell session, run the following script:


    You need to repeat this step when you start a new session.

  • In the package.json file of your JSS application, modify the script start:connected:

    "start:connected": "cross-env-shell NODE_EXTRA_CA_CERTS=<file> ..."

Do you have some feedback for us?

If you have suggestions for improving this article,