Using Certificates with cURL
The problem: Using Digital Certificates issued by a Certification Authority (CA) with curl.
The situation: I have a .cer (Digital Certificate) file, .pfx (Personal Information Exchange file i.e., the private key for the certificate). I cannot use either of these to authenticate to the web service as curl would not accept these formats.
The solution:
1) Convert it into PEM format (X.509 certificate) using openssl.
openssl pkcs12 -in abcd.pfx -out abcd.pem
Enter a passphrase and a password.
2) Still you cannot use this with curl because you’d get a few errors.
3) Convert this PEM certificate into three different certificates for the client, the private key and the certification authority certificate.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in abcd.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in abcd.pfx -out key.pem -nocerts
4) Use the following command:
curl -k https://www.thesitetoauthenticate.com/test -v –key key.pem –cacert ca.pem –cert client.pem:
This stuff is also mentioned on curl forum at http://curl.haxx.se/mail/archive-2005-09/0138.html
How u can do this with libcurl and openssl.net 🙂
If you have some experience will you share?
Thanks in advance!
Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
2) Simply
curl -k -E abcd.pem https://www.thesitetoauthenticate.com/test
Was this answer helpful?
LikeDislikeThx, now it works!
Was this answer helpful?
LikeDislikeThat would be:
curl -k https://www.thesitetoauthenticate.com/test -v –-key key.pem –-cacert ca.pem –-cert client.pem
Using the sameple above.
-Chris
This solution has been deemed correct by the post author
-k makes everything here insecure.
Was this answer helpful?
LikeDislike-k allows insecure connections as per https://stackoverflow.com/questions/10079707/https-connection-using-curl-from-command-line
This is exactly what I looked for. Thank you!
Hmm, I note you suggest “curl -k …” – not a good idea since this turns off the secure checking, hence defeating the object of using SSL !
Thanks you very much bro, it works!!!
Thanks for the help
Excellent post. I’m dealing with a few of these issues as well..
-k just do not check CA of SSL issuer
but secure-encrypted connection do have place
if you would like to use selfsigned certificate and avoid to use -k
just add your own CA to trusted list
When I run following command on my .pfx file, the ca.pem generated is blank. No error was given. Please let me know the reason for the file being empty.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
The client.pem and key.pem were generated as expected.
Appreciate if anyone can let me know the root cause for the ca.pem file generated to be empty.