Using Certificates with cURL

- Rajat

Posted on Mar 10, 2007 in Cryptography, Tools, Web application security | 15 comments

certificates curl X.509

The problem: Using Digital Certificates issued by a Certification Authority (CA) with curl.

The situation: I have a .cer (Digital Certificate) file, .pfx (Personal Information Exchange file i.e., the private key for the certificate). I cannot use either of these to authenticate to the web service as curl would not accept these formats.

The solution:
1) Convert it into PEM format (X.509 certificate) using openssl.
openssl pkcs12 -in abcd.pfx -out abcd.pem
Enter a passphrase and a password.
2) Still you cannot use this with curl because you’d get a few errors.
3) Convert this PEM certificate into three different certificates for the client, the private key and the certification authority certificate.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in abcd.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in abcd.pfx -out key.pem -nocerts
4) Use the following command:
curl -k https://www.thesitetoauthenticate.com/test -v –key key.pem –cacert ca.pem –cert client.pem:

This stuff is also mentioned on curl forum at http://curl.haxx.se/mail/archive-2005-09/0138.html

Community Answers

2-26-09

DryThyme says:

How u can do this with libcurl and openssl.net 🙂
If you have some experience will you share?
Thanks in advance!


+179
1-7-10

Anonymous says:

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!


+369
Was this answer helpful?
Like Dislike
1-31-14

Pavel Ivlev says:

2) Simply
curl -k -E abcd.pem https://www.thesitetoauthenticate.com/test


+252
Was this answer helpful?
Like Dislike
- 1-22-15
  
  Simon says:
  
  Thx, now it works!
  
  
  +83
  Was this answer helpful?
  Like Dislike
5-15-14

Chris Graham says:

That would be:

curl -k https://www.thesitetoauthenticate.com/test -v –-key key.pem –-cacert ca.pem –-cert client.pem

Using the sameple above.

-Chris


+214
Was this answer helpful?
Like Dislike
This solution has been deemed correct by the post author

2-26-18

donotdothat says:

-k makes everything here insecure.


+86
Was this answer helpful?
Like Dislike
4-5-18

ss says:

-k allows insecure connections as per https://stackoverflow.com/questions/10079707/https-connection-using-curl-from-command-line


+74
Was this answer helpful?
Like Dislike
6-14-18

moppel says:

This is exactly what I looked for. Thank you!


+46
Was this answer helpful?
Like Dislike
8-31-18

Mike Whittaker says:

Hmm, I note you suggest “curl -k …” – not a good idea since this turns off the secure checking, hence defeating the object of using SSL !


+99
Was this answer helpful?
Like Dislike
1-21-19

Murat Ermiş says:

Thanks you very much bro, it works!!!


+30
11-11-19

Ataul Haque says:

Thanks for the help


+83
Was this answer helpful?
Like Dislike
2-18-20

a says:

Excellent post. I’m dealing with a few of these issues as well..


+151
Was this answer helpful?
Like Dislike
4-21-20

IT Security says:

-k just do not check CA of SSL issuer
but secure-encrypted connection do have place
if you would like to use selfsigned certificate and avoid to use -k
just add your own CA to trusted list


+20
Was this answer helpful?
Like Dislike
5-26-20

dee says:

When I run following command on my .pfx file, the ca.pem generated is blank. No error was given. Please let me know the reason for the file being empty.

openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys

The client.pem and key.pem were generated as expected.


+43
Was this answer helpful?
Like Dislike
- 5-26-20
  
  Dee says:
  
  Appreciate if anyone can let me know the root cause for the ca.pem file generated to be empty.
  
  
  +33
  Was this answer helpful?
  Like Dislike