I am making an https request (using the request module) to a server with a self-signed cert. It throws an error if I don't specify strictSSL: false as an option.

This cert is already trusted on my OS (OSX), such that Chrome doesn't throw an error while accessing a webpage from that server.

I understand different applications/environments may have their own certificate stores. Firefox has its own, and the JVM, for example, is usually at $JAVA_HOME/jre/lib/security/cacerts (on OSX).

My question is, where does node look for its trusted CA's? Is there such a concept? I'd like to add my self-signed cert there for development purposes.

There is not a store. You can pass a ca option to the https request to tell it what CAs you do trust.

From the docs: The following options from tls.connect() can also be specified. However, a globalAgent silently ignores these.

ca: An authority certificate or array of authority certificates to check the remote host against.

In order to specify these options, use a custom Agent.

var options = {
  ...
  ca: CA or [array of CAs]
  ...
};

options.agent = new https.Agent(options);

var req = https.request(options, function(res) {

Ref: http://nodejs.org/api/https.html#https_https_request_options_callback

It seems that while there is no store, but there is a default list of CA's built into the source.

My search ultimately led me to the closest thing to a store, this file of CA's that node.js supports:

https://github.com/joyent/node/blob/master/src/node_root_certs.h

Thus, while it is true that it doesn't do a lookup on the system hosted CA's and that there is no "store" per se, there is a default list of CA's that it accepts.

As mentioned by @Joe and @damphat, you can add your own with the Agent.options.ca property, unfortunately that workaround isn't practical in my case.