cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: creating a PEM file

From: Ralph Mitchell <rmitchell_at_eds.com>
Date: Fri, 14 Feb 2003 05:54:26 -0600

It's related to the ca-cert-bundle.crt either not being installed or not being
found where curl expects it to be... I've got a Win98 laptop here with
c:\curl-7.10.2-win32 and the cert file is stashed away under
c:\curl-7.10.2-win32\lib. So, do a search for the ca-bundle.crt file and
change your config file to match.

On my laptop, this worked for me:

    --cacert c:\curl-7.10.2-win32\lib\ca-bundle.crt

Your milage will vary due to the different release of curl you're using.

Ralph Mitchell

Daniel Stenberg wrote:

> On Thu, 13 Feb 2003, Johnny Vergeer wrote:
>
> > Sorry if this has been covered before - I could not find details in the
> > FAQ.
>
> Ah, no it isn't really clarified there and if you have any clever ideas of
> how to do this after my reply, feel free to suggest!
>
> > I need to create a PEM file to "Ensure the identity of a remote computer"
> > ...
>
> Not just "a PEM file". PEM is just a file format to use for certificates.
> There are different certificates, and if YOU want to insure that the REMOTE
> server is who it tells you it is, you need a CA cert to verify the server's
> cert against.
>
> > Using MS IE 6.0, I used the "Certificate Export Wizard" to create a PKCS#7
> > file from the Certificate in question. (Also tried the DER and Base-64
> > X.509 types)
>
> This is YOUR private certificate that you use in connections, and the server
> will use this to check that YOU are who you say you are. This cannot be used
> to verify the server with.
>
> > * SSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify failed
>
> ... and that's why the connection fails, because your certficiate could not
> be used to verify the server's.
>
> > Using the -k option allows me to connect to the site without any problem -
> > but I guess that does defeat the object somewhat :-)
>
> Right, it makes you accept the connection to the server, unregarding of what
> kind of man-in-the-middle attack that is going on.
>
> You need to get a CA cert for the server. I don't know how to proceed to do
> this.
>
> (I'm not a SSL wizard, this is all information as I have perceived it, I may
> be wrong in details or in general, but I don't think I am.)
>
> --
> Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
Received on 2003-02-14