cURL / Mailing Lists / curl-users / Single Mail


RE: curl certificate authentication failed

From: Chidanand Gangur <>
Date: Fri, 16 Jul 2004 09:51:18 +0530

Hi Glenn,

Even I am able to get it work by using the "-k" switch but this not what we are expecting to do.

CA certificates are generated by me and they reside on the same machine. The openssl commands used to generate certificates are as follows:

/************************CA Certificates******************************/
openssl genrsa -out myCAkey.key 1024
openssl req -new -key myCAkey.key -out myCAreq.req
openssl x509 -req -days 365 -in myCAreq.req -signkey myCAkey.key -out myCAcert.pem

/************************Server Certificates******************************/
openssl genrsa -out myServer.key 1024
openssl req -new -key myServer.key -out myServer.req
openssl x509 -req -days 365 -CA myCAcert.pem -CAkey myCAkey.key -CAcreateserial -in myServer.req -out myServer.pem

/************************Client Certificates******************************/
openssl genrsa -out myClient.key 1024
openssl req -new -key myClient.key -out myClient.req
openssl x509 -req -days 365 -CA myCAcert.pem -CAkey myCAkey.key -CAcreateserial -in myClient.req -out myClient.pem

/*****************PKCS12 Format for IE browser***************************/
openssl pkcs12 -export -clcerts -in myClient.pem -inkey myClient.key -out myClient.p12

Can some body point where am I going wrong. My Question is if it is problem with CA certificate why should it work with Browsers.


-----Original Message-----
From: [] On Behalf Of Glenn
Sent: Wednesday, July 14, 2004 4:40 PM
Subject: Re: curl certificate authentication failed

Chidanand Gangur <chidanand.gangur <at>> writes:

> I get
> curl: (60) SSL certificate problem, verify that the CA cert
> is OK
> curl --cacert myCAcert.pem  --capath "." --cert
> myClient.pem --cert-type PEM --key myClient.key --key-type PEM
> (with client authentication enabled)
> it gives the same error.
> curl: (60) SSL certificate problem, verify that the CA cert
> is OK
> I have tried various options.
I have had the same problem and got it worked using -k instead of the --cacert

But the real solution was the new certificate. The first certificate contained
some errors (I don't know what kind) but when the author sent a new one it
worked with the --cacert option.

Received on 2004-07-16