tls.getCACertificates('system') throws "X509 to PEM conversion" error on Windows

[causer]

Version

v24.13.0

Platform

Microsoft Windows NT 10.0.26200.0
x64

Subsystem

tls

What steps will reproduce the bug?

1. Open Windows Terminal
2. Run:
   node -p "require('tls').getCACertificates('system')"

Note: Unfortunately, this issue won't reproduce on a clean Windows installation. It occurs when the Windows certificate store contains certain certificates that fail X509 to PEM conversion. I cannot identify which specific certificate causes the failure — and that is part of the problem this issue is reporting. The error message provides no details about which certificate failed to convert. Probably, to simulate the issue, one would need to import a certificate that can't be converted to PEM format into the Windows certificate store.

How often does it reproduce? Is there a required condition?

Permanently, uninstall/reinstall node doesn't help.

What is the expected behavior? Why is that the expected behavior?

The getCACertificates('system') function should return an array of valid system CA certificates, gracefully handling any certificates that cannot be converted to PEM format.

The Windows certificate store is a heterogeneous environment containing certificates from multiple sources (Windows Update, enterprise policies, third-party applications, smart card middleware, government PKI systems, etc.). Node.js should not fail entirely due to a single problematic certificate that the user may not even be aware of or have control over.

Suggested behavior:

• Skip certificates that fail X509 to PEM conversion
• Optionally emit a warning listing skipped certificates
• Return the successfully converted certificates

What do you see instead?

node -p "require('tls').getCACertificates('system')"
node:tls:138
  systemCACertificates ||= ObjectFreeze(getSystemCACertificates());
                                        ^

Error: X509 to PEM conversion
    at cacheSystemCACertificates (node:tls:138:41)
    at Object.getCACertificates (node:tls:193:14)
    at [eval]:1:16
    at runScriptInThisContext (node:internal/vm:219:10)
    at node:internal/process/execution:451:12
    at [eval]-wrapper:6:24
    at runScriptInContext (node:internal/process/execution:449:60)
    at evalFunction (node:internal/process/execution:283:30)
    at evalTypeScript (node:internal/process/execution:295:3)
    at node:internal/main/eval_string:71:3

Node.js v24.13.0

Additional information

I understand that the root cause of this issue is not in Node.js itself, but rather in a malformed or incompatible certificate present in the Windows certificate store. However, the current behavior of getCACertificates('system') makes it extremely difficult to investigate and resolve the issue:

1. No indication of which certificate caused the failure — The error message "X509 to PEM conversion" provides no information about the problematic certificate (thumbprint, subject, store location, etc.).

2. A single bad certificate causes the entire function to fail, even if hundreds of other certificates are valid.

[spider-yamet]

May I pick up this issue? Hope this project is open for contributors.
cc: @cclauss @addaleax @BethGriggs @Aditi-1400

Regards

[Aditi-1400]

@spider-yamet Feel free to take this up, we are open to contributions, yes :).
Don't forget to go through the contributing guidelines :)

[spider-yamet]

Thanks for confirmation, @Aditi-1400 . Let me submit a PR.