I was dumbfounded when I realized that Node uses a statically compiled, manually updated, hardcoded list of certificate authorities, rather than relying on the system's trust store, or even just a directory truststore of its own.

This causes a large amount of problems :

• Dependancy on the Node community for reactiveness in addition or removal of certificates
• Dependancy on the Node community in terms of certificate trust
• Prevents companies and anyone with their own PKI from using their certificates globally
• Requires support from EVERY node application making use of SSL to include certificates
• Requires modification of source code if an application doesn't happen to support it
• Requires modification and rebuilding of Node to remove certificates that wouldn't be trusted by an organisation

Now, I can see no practical use for that. While this is acceptable in a development environment, where you can make changes to your own application, this is outright unusable... and i can't stress enough the security implications for many organisations.

Proposed solutions :

• Make use of the standard system trust store, like any sensible application
• Use a dedicated globally installed trust store, allowing user modifications, and why not, handling with npm
• Dynamically load CAs using relative path, in a way similar to the usage of the node_modules folder

TL;DR: CA Certificates are hardcoded in node. It may be OK for dev, but it sucks big time for ops.