Walkthrough: Configuring Sitecore CA certificates for Node.js


Avoid/fix Node.js errors caused by privately signed SSL certificates

In local environments, Sitecore instances are installed using privately signed certificates. However, these are rejected by Node.js since their root CAs are not known. From Node.js 7.3.0 and onwards, it is possible to add well-known extra certificates to Node.js with a NODE_EXTRA_CA_CERTS environment variable.

If you do not have privately signed certificates configured correctly, you will see errors with the code UNABLE_TO_VERIFY_LEAF_SIGNATURE when running your JSS application. For example:

Error: unable to verify the first certificate
 type: 'system',
Error occurred while trying to proxy request /sitecore/api/layout/render/jss?item=%2F&sc_apikey={A6AAE4C9-EEFF-4728-BDCB-80292FDB16EC} 
from localhost:3000 to <https://cm.localhost> (UNABLE_TO_VERIFY_LEAF_SIGNATURE)

This walkthrough guides you through the required steps for configuring Node.js to accept privately signed SSL certificates:

  • If you are using Sitecore Containers, identify the certificate file used by your Sitecore instance. Alternatively, create the certificate file for a SIF Sitecore installation.

  • Provide the certificates to the Node.js environment.

Identify the certificate file used in your Sitecore Containers instance

For Docker-based Sitecore containers, the certificate file was created by mkcert during the project setup.

To find the certificate location, in a terminal, in the root directory of your project, run the following command:

mkcert -CAROOT

The certificate is in PEM format and is called rootCA.pem by default. Your file path will look something like C:\Users\<username>\AppData\Local\mkcert\rootCA.pem.

Create the certificate file for use in a Sitecore on-prem instance

For Sitecore instances installed with the Sitecore Installation Framework (SIF), you must export the certificate from the Windows Certificate Store.

To export the certificate:

  1. Open Windows certificates manager for the local computer using certlm from the command line or by searching for "Manage Computer Certificates."

  2. Under Trusted Root Certification > Certificates, right-click the Sitecore Installation Framework certificate, then click All Tasks, then Export.

  3. In the new window, click Next.

  4. In the Export File Format screen, select Base-64 encoded X.509 (.CER) and click Next.

  5. Enter a file name, for example, SIFRoot.cer and a location to store the .cer file. Click Next, then Finish.


If you have both Sitecore Containers and on-prem instances, you can combine the certificates into a single file. For example:

{your mkcert certificate}

{your SIF certificate}

Provide the certificates to the Node.js environment

To include your certificates in the Node.js environment, you must add them to the well-known root certificates of Node.js.


Adding it to a .env file and using the dotenv library does not work because environment variables defined this way are loaded too late for Node.js to recognize.

To provide the certificates, you have several options, all using the NODE_EXTRA_CA_CERTS:

  • In the local or system environment run the command:

    setx NODE_EXTRA_CA_CERTS <file>

    To set the certificates for the entire system use the optional /m parameter.

    Restart the terminal or the code editor for the change to take effect.

  • In a PowerShell session, run the following script:


    You need to repeat this step when you start a new session.

  • In the package.json file of your JSS application, modify the script start:connected:

    "start:connected": "cross-env-shell NODE_EXTRA_CA_CERTS=<file> ..."