cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Curl --cert option

From: Goetz Babin-Ebell <babin-ebell_at_trustcenter.de>
Date: Wed, 28 Jan 2004 10:43:03 +0100

Hello Pedro,

Pedro Neves (pneves) wrote:
>>>-E/--cert <cert[:passwd]> Client certificate file and password (SSL
>
> Is it possible to send more than one certificate to the https server ?
> This would be nice to use with https servers that support Subordinate
> Certificates.

No.

The client sends only his own certificate.

This is in the SSL/TLS1 protocol:

the server sends a list of CA DNs he trusts for client authentication.
If the client certificate was issued by one of these CAs,
the client send his own certificate.

> Example:
> ********
> Configuration:
> Our certificate chain:
> rootCA
> root-subCA
> root-subCA-cert
> The Https server has the following cert:
> root
> We send:
> root-subCA
> root-subCA-cert

If the server has not the subCA configured as trusted
issuer, he will not accept the subCA for client authentication.

Add subCA to your servers list of trusted client issuers.

> The server should be able to authenticate our certificate.
> The problem is that curl does not seem to be able to send
> the root-subCA certificate.

As I said:
the client only sends his own certificate.
The server must have all CA certificates (including subCA)
in his list of trusted issuers for client authentication...

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

Received on 2004-01-28