I am looking for a way to add a custom CA to NPM so I can download from a location using said certificate (an internal git-server) without having to nuke all CA-checking with
npm config set strict-ssl false
Is there any way of achieving this or not? (if not: is there already a defect?)
Answer
You can point npm to a cafile
npm config set cafile /path/to/cert.pem
You can also configure ca string(s) directly.
npm config set ca "cert string"
ca can be an array of cert strings too. In your .npmrc:
ca[]="cert 1 base64 string"
ca[]="cert 2 base64 string"
The npm config commands above will persist the relevant config items to your ~/.npmrc file:
cafile=/path/to/cert.pem
Note: these CA settings will override the default "real world" certificate authority lookups that npm uses. If you try and use any public npm registries via https that aren't signed by your CA certificate, you will get errors.
If you need to support both public https npm registries as well as your own, you could use curl's Mozilla based CA bundle and append your CA cert to the cacert.pem file:
curl https://curl.haxx.se/ca/cacert.pem > ~/.npm.certs.pem
cat my-ca-cert.pem >> ~/.npm.certs.pem
npm config set cafile ~/.npm.certs.pem
Unfortunately npm's CA bundle is not editable as it's provided in the source code (thanks tomekwi) but nitzel has provided a generic Node.js method to append a certificate via the NODE_EXTRA_CA_CERTS environment variable.
RHEL Note: If you happen to be using a RHEL based distro and the RHEL packaged nodejs/npm you can use the standard update-ca-trust method as RedHat points their packages at the system CA's.