curl-users
RE: creating certs for HTTP, PEM files, OpenSSL, etc
Date: Thu, 4 Mar 2004 23:24:00 -0800 (PST)
On Thu, 4 Mar 2004, Tony G wrote:
> Is the lack of response to this because:
> 1) No one knows?
> 2) The coding, tests, or debugging for this area still aren't complete?
> 3) This is considered an OpenSSL question and not cURL? I can easily post
> to the openssl-users list.
> 4) I should ask somewhere else?
> 5) I need to RTM? (A URL would be appreciated, I think I've been through
> everyhing in the standard docs. I'd be happy to verify an alpha/beta doc.)
> 6) Something else?
> ...
> >-----Original Message-----
> >Sent: Monday, March 01, 2004 2:45 PM
> > ...
> >The problem I'm having is creating a PEM from a server .crt
> >file with OpenSSL that the cURL commandline can use. I've
> >tried many permutations and never seem to get it quite right.
> >I'm using this OpenSSL line to create the
> >PEM:
> > openssl x509 -in server.crt -out server.pem -outform PEM
> >
> >I think I need to add the cert info to curl-ca-bundle.crt, or
> >(preferably) I need to properly tell the commandline to use a
> >different file rather than going to the bundle. I've used
> >notepad to copy/paste the cert into the bundle with no joy.
> >(Don't use Wordpad or it will change all the EOL delimiters).
> >
> >Can anyone give me a definitive set of steps to get from a
> >working cert to a working HTTPS with cURL? I'll be happy to
I hope that I understand the problem. It sounds as if you have
a trusted cert that you want to use that isn't in your standard
cert bundle. If so, the openssl command you list above should work
(although I usually also use the argument "-inform DER"). You can make
curl use this in several ways. The simplest is to use the command
line argument "--cacert=path_to_new_cert", where you substitute the
actual path. The second method is to set the environment variable
"CURL_CA_BUNDLE" to the path for the file. The third method is to
permanently add it to your standard ca bundle. You should be able to
do "cat server.pem >> curl-ca-bundle.crt".
Your mention of copy/paste and WORDPAD suggests that you might be
working under Windows. Be sure to use tools that don't change the
format of the file.
For documentation of the above information, see the curl help file
(type "curl --help"), the file "sslcerts", the file "changes", the
curl man page (see the section on --cacert), and the file "main.c" in
the source distribution.
This all assumes that you processed the server.crt correctly and that
you obtained it securely. Was it originally in DER format before you
modified it with openssl?
If the question is really something different, please restate it.
I haven't looked at curl source since 7.10.5. At that time curl used a
default location of the ca-bundle that was different from the openssl
default (i.e., share/curl/curl-cert-bundle.crt under $PREFIX) and did
not recognize the standard OpenSSL environment variables to override
the locations of the bundle and supplementary certs, SSL_CERT_FILE or
SSL_CERT_DIR. If you have both curl and other programs using OpenSSL
you might want to symlink the standard OpenSSL bundle ( cert.pem
in the OpenSSL directory) to curl-cert-bundle.crt so that you only
need to maintain one file. If you want to use non-standard locations
on a regular basis, you may need to set both CURL_CA_BUNDLE and
SSL_CERT_FILE so that all your programs will look for the appropriate
files.
Doug
-- Doug Kaufman Internet: dkaufman_at_rahul.netReceived on 2004-03-09