cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Accessing a client certificate store with OpenSSL (to pass a cert to libcurl)

From: Daniel Stenberg <Daniel.Stenberg_at_haxx.nu>
Date: Wed, 17 May 2000 09:38:59 +0200 (MET DST)

On Tue, 16 May 2000 Mark_Rubin_at_factset.com wrote:

> I'd like to pass a client certificate to the server when making my SSL
> connection with libcurl (on the client). I've been reading around
> whatever documentation I can find for OpenSSL, but I haven't figured out
> how you use it to access a certificate store and pull out a specific
> certificate so that I can pass it to curl_urlget. A pointer in the right
> direction (if not more) would be much appreciated. I'd like not only a
> way to access the store, but also to select a certificate (or
> certificates) that meet certain requirements (e..g. have a specific
> issuer, aren't expired).

First, a quote from the README.curl file:

  Curl is also capable of using your personal certificates to get/post files
  from sites that require valid certificates. The only drawback is that the
  certificate needs to be in PEM-format. PEM is a standard and open format to
  store certificates with, but it is not used by the most commonly used
  browsers (Netscape and MSEI both use the so called PKCS#12 format). If you
  want curl to use the certificates you use with your (favourite) browser,
  you may need to download/compile a converter that can convert your browser's
  formatted certificates to PEM formatted ones.

The "converter" mentioned there is included in all recent versions of
openssl.

  Example on how to automatically retrieve a document using a certificate
  with a personal password:

        curl -E /path/to/cert.pem:password https://secure.site.com/

  If you neglect to specify the password on the command line, you will be
  prompted for the correct password before any data can be received.

And the info on how to use -E, the man page says:

     -E/--cert <certificate[:password]>
          (HTTPS) Tells curl to use the specified certificate
          file when getting a file with HTTPS. The certificate
          must be in PEM format. If the optional password isn't
          specified, it will be queried for on the terminal. Note
          that this certificate is the private key and the pri­
          vate certificate concatenated!

So, convert your certificates, run curl, be happy! ;-)

> I'd like to be able to do this on both Windows and *nix varieties. Does
> OpenSSL present a platform independent way to do this, or do you have to
> write some platform-specific code?

AFAIK, OpenSSL would work exactly the same on all platforms it runs on.

-- 
   Daniel Stenberg - http://www.contactor.se/~dast - +46-705-44 31 77
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
Received on 2000-05-17