What is the problem this feature will solve?

Working in an enterprise setting, we have security tools that perform SSL decryption using self-signed certificates. This is often problematic for many developer tools.

Since some CLI tools that run on Node often ship with their own CLI shell wrapper executables, it is not always feasible to pass a command line argument to node for the --use-system-ca flag (see https://nodejs.org/en/blog/release/v23.8.0 and #56599 and #56833) in order to leverage the feature.

An example CLI tool that runs on Node.js is Salesforce CLI

The 'sf' command is provided through the following script when the package is installed:

#!/bin/sh
basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")

case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*)
        if command -v cygpath > /dev/null 2>&1; then
            basedir=`cygpath -w "$basedir"`
        fi
    ;;
esac

if [ -x "$basedir/node" ]; then
  exec "$basedir/node" --no-deprecation "$basedir/node_modules/@salesforce/cli/bin/run.js" "$@"
else 
  exec node --no-deprecation "$basedir/node_modules/@salesforce/cli/bin/run.js" "$@"
fi

Due to the use of 'exec' to invoke Node, a workaround to make a shell wrapper function to override calls to Node and inject the --use-system-ca flag on all invocations is not feasible. The only workarounds that tested successfully were to either override 'sf' in ~/.bashrc or or manually edit the 'sf' script above after the package is installed.

There are other ways to work around certificate trust issues for self-signed certificates, but they are often more work or less secure.

Now that --use-system-ca functionality is available, it would be ideal to leverage this functionality with an environment variable rather than manually setting certificate paths, manually building a separate trust store, or using NODE_TLS_REJECT_UNAUTHORIZED=0.

What is the feature you are proposing to solve the problem?

Please make an environment variable that could also control the --use-system-ca flag functionality. The simplest implementation would add a new Boolean environment variable similar to NODE_TLS_REJECT_UNAUTHORIZED which did the exact same thing as passing --use-system-ca on the command line would.

Example:

NODE_USE_SYSTEM_CA=1 - same as passing --use-system-ca on the command line
NODE_USE_SYSTEM_CA=0 - default; same as not passing --use-system-ca on the command line

Would it make sense to make --use-system-ca a default? As a Node user, I would expect Node to use the default certificate management system on the operating system (Windows, MacOS, RedHat, etc.) vs. having to configure Node to do so.

Best regards, and thank you for implementing --use-system-ca! The new feature dramatically simplifies the amount of manual hackery each developer needs to perform on their machines to work in our enterprise.

What alternatives have you considered?

Manually overriding node or sf in shell functions (~/.bashrc) or directly editing packages after installation, use of the NODE_TLS_REJECT_UNAUTHORIZED=0 environment variable setting, or using NODE_EXTRA_CA_CERTS.