--use-system-ca

Node.js 使用系统存储中存在的受信任 CA 证书以及 --use-bundled-ca 选项和 NODE_EXTRA_CA_CERTS 环境变量。在 Windows 和 macOS 以外的平台上，这会从 OpenSSL 信任的目录和文件加载证书，类似于 --use-openssl-ca，不同之处在于它在第一次加载后缓存证书。

¥Node.js uses the trusted CA certificates present in the system store along with the --use-bundled-ca option and the NODE_EXTRA_CA_CERTS environment variable. On platforms other than Windows and macOS, this loads certificates from the directory and file trusted by OpenSSL, similar to --use-openssl-ca, with the difference being that it caches the certificates after first load.

在 Windows 和 macOS 上，证书信任策略计划遵循 Chromium 的本地受信任证书策略：

¥On Windows and macOS, the certificate trust policy is planned to follow Chromium's policy for locally trusted certificates:

在 macOS 上，遵循以下设置：

¥On macOS, the following settings are respected:

• 默认和系统密钥串

  ¥Default and System Keychains

  • 信任：

    ¥Trust:

    • 任何将“使用此证书时”标志设置为“始终信任”的证书或

      ¥Any certificate where the “When using this certificate” flag is set to “Always Trust” or

    • 任何将“安全套接字层 (SSL)”标志设置为“始终信任”的证书。

      ¥Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Always Trust.”

  • 不信任：

    ¥Distrust:

    • 任何将“使用此证书时”标志设置为“永不信任”的证书或

      ¥Any certificate where the “When using this certificate” flag is set to “Never Trust” or

    • 任何将“安全套接字层 (SSL)”标志设置为“永不信任”的证书。

      ¥Any certificate where the “Secure Sockets Layer (SSL)” flag is set to “Never Trust.”

在 Windows 上，遵循以下设置（与 Chromium 的策略不同，目前不支持不信任和中间 CA）：

¥On Windows, the following settings are respected (unlike Chromium's policy, distrust and intermediate CA are not currently supported):

• 本地机器（通过 certlm.msc 访问）

  ¥Local Machine (accessed via certlm.msc)

  • 信任：

    ¥Trust:

    • 受信任的根证书颁发机构

      ¥Trusted Root Certification Authorities

    • 受信任的人

      ¥Trusted People

    • 企业信任 -> 企业 -> 受信任的根证书颁发机构

      ¥Enterprise Trust -> Enterprise -> Trusted Root Certification Authorities

    • 企业信任 -> 企业 -> 受信任人员

      ¥Enterprise Trust -> Enterprise -> Trusted People

    • 企业信任 -> 组策略 -> 受信任的根证书颁发机构

      ¥Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities

    • 企业信任 -> 组策略 -> 受信任人员

      ¥Enterprise Trust -> Group Policy -> Trusted People

• 当前用户（通过 certmgr.msc 访问）

  ¥Current User (accessed via certmgr.msc)

  • 信任：

    ¥Trust:

    • 受信任的根证书颁发机构

      ¥Trusted Root Certification Authorities

    • 企业信任 -> 组策略 -> 受信任的根证书颁发机构

      ¥Enterprise Trust -> Group Policy -> Trusted Root Certification Authorities

在 Windows 和 macOS 上，Node.js 会在使用证书之前检查用户证书设置是否禁止它们进行 TLS 服务器身份验证。

¥On Windows and macOS, Node.js would check that the user settings for the certificates do not forbid them for TLS server authentication before using them.

在其他系统上，Node.js 从默认证书文件（通常为 /etc/ssl/cert.pem）和默认证书目录（通常为 /etc/ssl/certs）加载证书，Node.js 链接到的 OpenSSL 版本会遵循这些证书。这通常与主要 Linux 发行版和其他类 Unix 系统上的约定一起使用。如果设置了覆盖的 OpenSSL 环境变量（通常是 SSL_CERT_FILE 和 SSL_CERT_DIR，取决于 Node.js 链接到的 OpenSSL 的配置），则将使用指定的路径来加载证书。如果 OpenSSL Node.js 版本使用的常规路径链接到与用户的系统配置由于某种原因不一致，则可以使用这些环境变量作为解决方法。

¥On other systems, Node.js loads certificates from the default certificate file (typically /etc/ssl/cert.pem) and default certificate directory (typically /etc/ssl/certs) that the version of OpenSSL that Node.js links to respects. This typically works with the convention on major Linux distributions and other Unix-like systems. If the overriding OpenSSL environment variables (typically SSL_CERT_FILE and SSL_CERT_DIR, depending on the configuration of the OpenSSL that Node.js links to) are set, the specified paths will be used to load certificates instead. These environment variables can be used as workarounds if the conventional paths used by the version of OpenSSL Node.js links to are not consistent with the system configuration that the users have for some reason.