cURL, CERT and PEM

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

cURL, CERT and PEM

Philippe de Rochambeau
Hello,

I have just generated a self-signed certificate as follows:

openssl x509 -req -days 365 -in my.domain.csr -signkey my.domain.key
-out my.domain.cert

What format is my.domain.cert now in?

I am asking this because I am trying to use this certificate with curl
as in

curl --cert my.domain.cert https://my.secure.server

But when I do that, I get the following message:

curl: (35) unable to set private key file

Any help with this matter would be much appreciated.

Cheers,

Philippe

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: cURL, CERT and PEM

Olaf Gellert
Philippe de Rochambeau wrote:
> Hello,
>
> I have just generated a self-signed certificate as follows:
>
> openssl x509 -req -days 365 -in my.domain.csr -signkey my.domain.key
> -out my.domain.cert
>
> What format is my.domain.cert now in?

OpenSSL uses PEM format as default. There are options
to generate other output formats (-outform) but this
is not necessary for curl.

> I am asking this because I am trying to use this certificate with curl
> as in
>
> curl --cert my.domain.cert https://my.secure.server
>
> But when I do that, I get the following message:
>
> curl: (35) unable to set private key file
>
> Any help with this matter would be much appreciated.

I guess you have to tell curl where to find the
secret key (the certificate file only contains your
public key). There is a curl option called "--key",
so something like:

curl --cert my.domain.cert --key your.key.file https://my.secure.server
will probably work.

Cheers, Olaf

--
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [hidden email]

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: cURL, CERT and PEM

Peter Sylvester-3

The --cert option asks for a  client "certificate", not for a server
certificate.
That's not your parameter. :-)

You need to use the --cacert parameter, and well, AFAIR, you
cannot use in general a server with a self signed cert in this case:
Create your own ca (this is just as simple as a self signed server cert),
and then create a server cert signed by this ca, and use the
--cacert together with the self signed certificate of the CA.

I put "certificate" in quotes because of the common misuse
of the language. For a client cert, it contains what in French is
called "bi-clef", i.e. both a (may be certified) public key, and
a private key. Or, in other words, for the CA in question,
only give the self signed  .crt file (pem or der), not the private
key of the ca to the curl user.



Olaf Gellert wrote:

>Philippe de Rochambeau wrote:
>  
>
>>Hello,
>>
>>I have just generated a self-signed certificate as follows:
>>
>>openssl x509 -req -days 365 -in my.domain.csr -signkey my.domain.key
>>-out my.domain.cert
>>
>>What format is my.domain.cert now in?
>>    
>>
>
>OpenSSL uses PEM format as default. There are options
>to generate other output formats (-outform) but this
>is not necessary for curl.
>
>  
>
>>I am asking this because I am trying to use this certificate with curl
>>as in
>>
>>curl --cert my.domain.cert https://my.secure.server
>>
>>But when I do that, I get the following message:
>>
>>curl: (35) unable to set private key file
>>
>>Any help with this matter would be much appreciated.
>>    
>>
>
>I guess you have to tell curl where to find the
>secret key (the certificate file only contains your
>public key). There is a curl option called "--key",
>so something like:
>
>curl --cert my.domain.cert --key your.key.file https://my.secure.server
>will probably work.
>  
>
I have some doubts here. How would you configure any reasonable
ssl web server to accept such a CLIENT cert?

>Cheers, Olaf
>
>  
>


--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.


smime.p7s (6K) Download Attachment