cURL / Mailing Lists / curl-users / Single Mail

curl-users

RE: creating certs for HTTP, PEM files, OpenSSL, etc

From: Tony G <1xrdqj102_at_sneakemail.com>
Date: Sat, 6 Mar 2004 16:33:30 -0800

I'm cross-posting this follow-up, maybe someone here can see something
obvious. Thanks.
-----------
>From: Joseph Bruni in the OpenSSL list
>Could you post the curl command line that you're using? You might just
>be missing a param or two.

I've tried a whole lot of commands with no luck. I'm thinking it's not just
the cURL commandline that needs adjusting, but I need to do more work on the
certs. Given the following OpenSSL commands that I know work fine, maybe
someone can give me a clue as to where I need to go next:

Setup a CA:
   openssl genrsa -out CA.key 2048
Create a CA cert (is that the right term?):
   openssl req -new -key CA.key -x509 -days 1095 -out CA.crt Create a
signing request in IIS (request.csr). Sign the request:
   openssl x509 -req -days 1095
         -CA CA.crt -CAkey CA.key -CAcreateserial
         -in request.csr -out signed.cer
Install the self-signed cert (signed.cer) to IIS.
Add the CA to the local Trusted Root Authorities for IE browsing:
   certmgr -add -v -c ".\CA.crt" -s -r localMachine root
(Or use the CertMgr GUI)

Go to IE and everything works perfectly. I'm assuming from the above that
any server cert I create from that new CA will now be trusted on my system.

Now, cURL needs PEM files, so I tried things like this with no joy:
   openssl x509 -in CA.crt -out CA.pem -outform PEM
   curl https://localhost/secured
        --cert CA.pem --cert-type PEM

Here's where I start going off... I figured I needed a server cert or a
private key and not a CA cert for cURL, so using the info here
(http://www.jroller.com/page/kwiersma/20030401 and elsewhere, I exported my
new server private key into a PFX, then converting that to a PEM. I was
then trying commands like this with no joy:
   curl https://localhost/secured --cert servercert.pem
        --key serverprivatekey.pem --cacert CA.key
        --cert-type pem --capath .

I shouldn't have to import files into IIS just to export them back so I know
I'm adding extra steps there.

I'm sorry if it sounds like I'm jumping around, but I honestly can't find
any complete docs anywhere, so I'm trying to combine what I'm getting from
different sites, and it's not resulting in anything solid yet.

Thanks for your time and any suggestions.
Received on 2004-03-07

This message: [ Message body ]
Next message: Tony G: "RE: creating certs for HTTP, PEM files, OpenSSL, etc"
Previous message: kappaluppa: "Getting cURL to work"
In reply to: Tony G: "RE: creating certs for HTTP, PEM files, OpenSSL, etc"
Next in thread: Tony G: "RE: creating certs for HTTP, PEM files, OpenSSL, etc"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]