crypto: add NODE_EXTRA_CA_CERTS to modified cert stores
Fixes the NODE_EXTRA_CA_CERTS
root certificates being missing in a SecureContext when the crl
or pfx
options are specified in a call totls.createSecureContext()
.
As part of this change, specifying NODE_EXTRA_CA_CERTS
no longer causes the bundled CA store to be immediately loaded at startup. Instead, the bundled CAs will be loaded on the first call to tls.createSecureContext()
, the same as how Node.js works by default. This improves startup performance and partially mitigates issue #40524.
Due to the deferred bundled CA loading described above, the NODE_EXTRA_CA_CERTS
are now loaded into the X509_STORE
before the bundled certificates instead of after. Please let me know if this creates a risk of a breaking change; I opted for simpler logic for the initial PR.
Fixes: https://github.com/nodejs/node/issues/32010 Refs: https://github.com/nodejs/node/issues/40524