fix(core): support non-RSA TLS certs and add --https / --ssl-{cert,key} flags

[bmaurer]

Pre-flight checklist

• I have read the Contributing Guidelines on pull requests.
• If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
• If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Two related fixes to getHttpsConfig in docusaurus start:

1. The validator in getHttpsConfig.ts used crypto.publicEncrypt / crypto.privateDecrypt to sanity-check the cert/key pair, but those APIs only work for RSA keys. Passing ECDSA (or EdDSA) certs — common in many corporate PKI setups — caused the dev server to throw operation not supported for this keytype even though the cert is fine.

   Replaced with crypto.X509Certificate + crypto.createPrivateKey, which work for any key type and additionally catch genuine cert/key-pair mismatches (the old code silently produced garbage in that case rather than throwing).

2. Certs could previously only be supplied via the SSL_CRT_FILE and SSL_KEY_FILE environment variables. Added matching --ssl-cert <path>, --ssl-key <path>, and --https CLI flags. CLI takes precedence; passing both --ssl-cert and --ssl-key implies HTTPS.

Test Plan

Unit tests

Extended getHttpsConfig.test.ts from 5 to 13 tests. The original 5 still pass (no behavior change for the RSA happy path). New coverage:

• ECDSA cert + key is accepted (would have thrown before this PR).
• Valid cert + valid-but-different key is rejected with a clear "do not match" error.
• getHttpsConfig({ sslCert, sslKey }) reads from CLI options when no env vars are set.
• CLI options take precedence over env vars when both are set.
• A missing CLI cert file produces a You specified --ssl-cert... error (the env-var path still reports SSL_CRT_FILE in your env...).
• --ssl-cert + --ssl-key together implies HTTPS without --https.
• --https alone returns true.

New ECDSA fixtures generated with openssl ecparam -name prime256v1 are committed alongside the existing RSA fixtures.

Test Files  1 passed (1)
     Tests  13 passed (13)

Manual

Generated a self-signed P-256 cert and ran:

docusaurus start --ssl-cert ./host.crt --ssl-key ./host.key --host 0.0.0.0

Server starts, curl --cacert ./host.crt https://localhost:3000/ returns 200 with verify=0. Without this PR the same invocation fails at startup with the unsupported keytype error from publicEncrypt.

Test links

Deploy preview: https://deploy-preview-_____--docusaurus-2.netlify.app/

Related issues/PRs

None.

[netlify]

✅ [V2]

Built without sensitive environment variables

Name	Link
🔨 Latest commit	1860897
🔍 Latest deploy log	https://app.netlify.com/projects/docusaurus-2/deploys/6a1206380dc1e700088ac3df
😎 Deploy Preview	https://deploy-preview-12065--docusaurus-2.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.