Read from $NODE_EXTRA_CA_CERTS instead of server.https?

[MarcusCaspeco]

Hi.

I am dealing with local TLS certs and I am probably just a bit confused on how all this works, but here goes:

I am using mkcert to generate a local CA for development certificates. All developers will run a script that adds this CA + generates the certificates locally.

This works great e.g. for C# which automatically trusts any certificate that is in the system store. Unfortunately Node.js doesn't do this automatically¹ so I need to set NODE_EXTRA_CA_CERTS to point to my rootCA.pem file, which is fine. I can do that in the installation script when I run mkcert, and I've seen that this environment variable works great in tsx for example.

However, vite does not seem to respect the NODE_EXTRA_CA_CERTS environment variable, and I would like it to. Maybe this is a misunderstanding on my part, I was hoping it would pick it up automatically, but it didn't. Is there a way for me to make sure it respects it?

I know about server.https which I could set like this in vite.config.ts:

export default defineConfig({
    // ...
    server: {
		// ...
        https: {
            ca: "C:/Path/To/rootCA.pem"
        }
    }
]);

This still doesn't seem to work, when I open Chrome it says ERR_SSL_VERSION_OR_CIPHER_MISMATCH. It is also my understanding that this would override the other CAs which is not really what I want.

What DOES work however, is if I set cert and key:

export default defineConfig({
    // ...
    server: {
		// ...
        https: {
            cert: "C:/Path/To/cert.pem",
            key: "C:/Path/To/cert-key.pem"
        }
    }
]);

But I don't want to have to specify the keys specifically, I wish it would just automatically trust my local CA and listen to the NODE_EXTRA_CA_CERTS variable. Is this possible at all with vite? Am I just really confused and getting two different concepts mixed up (probably yes)?

Footnotes

1. --use-system-ca was added just the other week in Node.js v23.8.0, but I need to support Node LTS which is currently v22.14.0. ↩

[MarcusCaspeco]

I think I am confusing two concepts, servers need to present certs/keys and clients need to validate outgoing HTTPS requests with system CAs. So I probably want the cert/key here, and the NODE_EXTRA_CA_CERTS is irrelevant. The client code in the browser does the outgoing HTTPS requests which doesn't have to do with vite, that's why it works here.

I still need NODE_EXTRA_CA_CERTS for some other Node.js projects I have, unrelated to vite, since they acts as clients in those cases. I just figured "both are Node.js, why would it be different", but clearly they are doing different things.