On Tue, 7 Aug 2001, Perry Dykes wrote:

> Attempting to use the -E.
>
> 1) Have gotten the openssl and tried to convert certs, but keep getting
> error code 35 from curl command line when use.
>
> Does curl just pass through the certs or must they be in the pkcs12
> format, as referred to in the man/tutorial page:

Curl passes the certs to OpenSSL, as they're used in the SSL protocol
handshake. Curl itself doesn't understand anything about certs and has no
requirements on file formats.

> > Run the 'openssl' application to convert the certificate. If
> > you cd to the openssl installation, you can do it like:
> > #. /apps/openssl pkcs12 -in [file you saved] -clcerts -out [PEMfile]
>
> The -clcerts option is not valid with pkcs7 or x509, at least that I been
> able to make useful.

I'm afraid that is OpenSSL territory, I believe what you say but I don't know
more than you about that.

> 2) pkcs12 format is hard achieve because:
>
> a) Netscape stores the certificate I need in the Web Site Certificate
> area, not the Yours area, and thus cannot export into the pkcs12 format.
> Does curl support a Web Site Certificate?

I believe --cacert is what you want here. Still, OpenSSL wants the
certificate to use PEM format. I'm afraid that I don't know much about how
you should go ahead and get your hands on the server certificate.

> b) IE 5.5 has a pkcs12 export option, but it is greyed out and I have not
> figured (nor is it posted on MS support site) of how to enable. IE does
> let me export it to pkcs7 and x509. In both cases, I converted them to
> PEM format successfully, however still get 35 error.

I believe that is becasue when you use -E (and have both the cert and your
private key concatenated in one file) it is your *client* certificate that is
supposed to be used by the server to verify you.

> Here is curl invocation I'm using:
>
> $ curl -v -i -E test.cert.pem -b 'tst.ck1' -D 'tst.ck2' --url
> 'https://localhost:9443/web/exp/{j_security_check,simpleJSP}' -d
> 'j_username=ptest&j_password=ppwd&action=Submit Logon'

So I take it this works if you don't specify "-E test.cert.pem" ? I mean, it
is of course not the same, I'm only trying to get a grip of things.

> * Your connection is using a weak random seed!

This message is present because you haven't provided a good enough random
source for curl to seed the SSL layer with. Try --random-file or --egd-file.

> curl: (35) couldn't use certificate!

If you get one of the 7.8.1 pre-releases from the curl web site, you'll get a
better error text that more accurately pinpoints the error. This message
above is shown when any of three different errors is returned from OpenSSL.

-- 
     Daniel Stenberg -- curl dude -- http://curl.haxx.se/