Great question! Running a Node.js server with multiple SSL certificates that can be added dynamically is totally doable—here are the most practical approaches I’ve used in production:

The core solution here leverages Node's built-in https module and its SNICallback feature, which handles Server Name Indication (the mechanism that lets servers serve multiple SSL certificates on the same IP/port).

How it works: #

• We maintain a in-memory store (like a Map) to map user domains to their SSL certificates.
• The SNICallback runs on every HTTPS request, fetches the certificate matching the requested domain, and returns it to the client.
• We add a method to dynamically update this store (can be an internal function or exposed via an admin API).

Example Code: #

const https = require('https');
const fs = require('fs');
const crypto = require('crypto');

// Store: domain -> { key, cert }
const certStore = new Map();

// Optional default certificate for unconfigured domains
const defaultCert = {
  key: fs.readFileSync('/path/to/default-private-key.pem'),
  cert: fs.readFileSync('/path/to/default-cert.pem')
};

// SNI Callback: Resolve certificate per request domain
function sniCallback(hostname, callback) {
  const targetCert = certStore.get(hostname) || defaultCert;
  
  try {
    // Create a secure context for the certificate
    const secureContext = crypto.createSecureContext({
      key: targetCert.key,
      cert: targetCert.cert
    });
    callback(null, secureContext);
  } catch (err) {
    callback(new Error(`Failed to load certificate for ${hostname}: ${err.message}`));
  }
}

// Initialize HTTPS server
const server = https.createServer({ SNICallback }, (req, res) => {
  res.writeHead(200);
  res.end(`Served securely from ${req.headers.host}!`);
});

// Dynamic certificate addition method
function addUserCertificate(hostname, privateKeyPem, certPem) {
  // Validate certificate/key pair (optional but recommended)
  try {
    crypto.createSecureContext({ key: privateKeyPem, cert: certPem });
    certStore.set(hostname, { key: privateKeyPem, cert: certPem });
    console.log(`Successfully added certificate for ${hostname}`);
  } catch (err) {
    console.error(`Invalid certificate for ${hostname}: ${err.message}`);
  }
}

// Example: Add a user's certificate (could be triggered via an admin API)
addUserCertificate(
  'user1.yourplatform.com',
  fs.readFileSync('/path/to/user1-private-key.pem'),
  fs.readFileSync('/path/to/user1-cert.pem')
);

server.listen(443, () => {
  console.log('HTTPS server running on port 443');
});

Key Notes: #

• Add error handling for invalid certificates to avoid crashing the server.
• For file-based certificates, use fs.watch to auto-update the store if the certificate files change.
• Add expiration checks to the store and alert when certificates need renewal.

If you need to automatically issue Let's Encrypt certificates for user domains (instead of users providing their own), greenlock-express is a battle-tested library that handles dynamic domain addition, certificate issuance, and auto-renewal out of the box.

Example Code: #

const greenlock = require('greenlock-express').create({
  configDir: './greenlock.d',
  maintainerEmail: 'your-admin-email@yourplatform.com',
  cluster: false
});

// Dynamic domain addition
async function addUserDomain(domain) {
  await greenlock.manager.add({
    subject: domain,
    altnames: [domain]
  });
  console.log(`Auto-SSL enabled for ${domain}`);
}

// Serve traffic to your Node app
greenlock.serve((req, res) => {
  res.end(`Securely served from ${req.headers.host} (auto-issued SSL)`);
}).listen(443, 80, () => {
  console.log('Greenlock HTTPS server running');
});

If you want to offload SSL management from your Node server (recommended for high-traffic apps), use Nginx as a reverse proxy. Nginx has robust SNI support and allows dynamic certificate updates without restarting the server.

How it works: #

1. Configure Nginx to proxy HTTPS traffic to your Node server.
2. Add a new server block for each user domain with their SSL certificate.
3. Reload Nginx (without downtime) when adding new certificates.

Example Nginx Config: #

server {
  listen 443 ssl;
  server_name user1.yourplatform.com;

  ssl_certificate /etc/nginx/ssl/user1-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/user1-key.pem;

  location / {
    proxy_pass http://localhost:3000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

# Repeat the server block for each user domain

Dynamic Update Script: #

Write a simple script to generate new server blocks and reload Nginx:

# Add a new domain's certificate config
echo "
server {
  listen 443 ssl;
  server_name $NEW_DOMAIN;
  ssl_certificate /etc/nginx/ssl/$NEW_DOMAIN-cert.pem;
  ssl_certificate_key /etc/nginx/ssl/$NEW_DOMAIN-key.pem;
  location / { proxy_pass http://localhost:3000; proxy_set_header Host \$host; }
}" >> /etc/nginx/sites-available/yourplatform.conf

# Reload Nginx (no downtime)
nginx -s reload

Choosing the Right Approach: #

• Use the native Node.js method if you want full control without external dependencies.
• Use Greenlock if you need auto-issued Let's Encrypt certificates for user domains.
• Use Nginx if you prioritize performance, stability, and separating SSL logic from your app.

内容的提问来源于stack exchange，提问作者Jagjit