cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: about --cacert

From: Billy Taylor <billy_taylor_at_hotmail.com>
Date: Thu, 07 Mar 2002 17:50:35 +0000

> > Then I should be able to use that certificate with curl --cacert to
>connect > to https://www.verisign.com/ and have the peer verified, right?
>
>
>I'm not an SSL guru, but no I don't think you can do that. This is how I
>believe this holds together:

It was the issuer's (CA) certificate I saved.

>When you save that certificate, you just saved the remote site's server
>certifcate, that is not a CA cert.

I went up the chain to get the CA certificate.

>Instead, you need a CA cert that can be used to verify the server's
>certificate when you communicate with it. This bundle might be what you
>need:
>
>
> http://curl.haxx.se/ca-cert-bundle.pem.gz
>
>
>I hope this helps.

Certainly did! I notice that that bundle is quite old, and is missing
at least one intermediate CA (the one that signed the site I couldn't verify
against) so it still didn't verify.

However from my earlier download, I had the intermediate CA cert I
wanted to verify against. So I just cat'd that file onto the end of
your bundle and hey presto the site verifies now. I guess someone in the
bundle signed the intermediate CA that signed the site in question.

Thanks and Cheers,
Billy.

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
Received on 2002-03-07