Install SSL on Node.js

Load your SSL certificate directly in the Node.js https module and serve your Express app over HTTPS.

Before You Begin

You will need these three files from your SSL certificate download:

certificate.crtYour SSL certificate
private.keyYour private key - keep this secure
ca_bundle.crtCA bundle (intermediate certificates)

Installation Steps

  1. Upload certificate files

    Copy your certificate files to a secure directory on your server.

    /etc/ssl/certs/certificate.crt
    /etc/ssl/private/private.key
    /etc/ssl/certs/ca_bundle.crt
  2. Install Node.js dependencies

    Ensure Node.js is installed. No additional packages are needed - the built-in https module handles TLS.

  3. Create an HTTPS server

    Use the https module to create a server that loads your certificate files.

    const https = require('https');
    const fs = require('fs');
    const app = require('./app'); // your Express app

    const options = {
    cert: fs.readFileSync('/etc/ssl/certs/certificate.crt'),
    key: fs.readFileSync('/etc/ssl/private/private.key'),
    ca: fs.readFileSync('/etc/ssl/certs/ca_bundle.crt'),
    };

    https.createServer(options, app).listen(443, () => {
    console.log('HTTPS server running on port 443');
    });
  4. Redirect HTTP to HTTPS

    Add a plain HTTP server that redirects all traffic to HTTPS.

    const http = require('http');
    http.createServer((req, res) => {
    res.writeHead(301, { Location: 'https://' + req.headers.host + req.url });
    res.end();
    }).listen(80);

Common Issues

EACCES on port 443
Node.js cannot bind to ports below 1024 without elevated privileges. Run the server with sudo node server.js, or use a process manager like PM2 with the cap_net_bind_service capability set. In production, a reverse proxy (Nginx) terminating TLS is the recommended approach.
CERT_HAS_EXPIRED
Your certificate has expired. Let's Encrypt certificates are valid for 90 days. Generate a new certificate on SSLs For Free and replace the files on your server - no code changes needed, just restart the Node.js process.
SEC_ERROR_UNKNOWN_ISSUER
The ca option in your server options is missing or points to an empty file. Ensure ca_bundle.crt was downloaded correctly and is not an empty file. This provides browsers with the intermediate certificate chain.

Frequently Asked Questions

It is more common to put Nginx or a load balancer in front of Node.js, terminating TLS at the proxy and forwarding plain HTTP to Node.js internally. This avoids the root permission issue, makes certificate rotation easier, and allows you to use Nginx's performance features.

Yes. Pass your Express app to https.createServer(options, app) - the HTTPS server wraps Express transparently. Express does not need any changes to work over HTTPS.

You can watch the certificate files for changes with fs.watch() and recreate the HTTPS server on change. A simpler production approach is to use a reverse proxy like Nginx that handles certificate rotation independently - the proxy reloads its cert while Node.js keeps running unchanged.

Certificate Installed? Set Up Expiry Monitoring.

Get an email reminder 14 days before your certificate expires - free, no account needed.