Hello,

I've been using curl (on the linux platform) for several years now with
great success. Although I routinely access HTTPS sites, I've never had
to install digital certificates, deal with converting 'p12' to 'pem' or
anything like that. If anyone could help on the following problem, I'd
really appreciate it, as I'm about googled out on this one...

I received a digital certificate from TransUnion, via email to access
their test credit report data. TransUnion has got a special web address
used for the sole purpose of testing the certificate and authorization
logic of your client software... when accessing the web site, you either
get a success response or either the dreaded 'error 403, Client
Authentication Error' response.

I know the certificate is good because I've had no problem installing it
and successfully accessing the test web site using IE, Firefox
(Windows), and Firefox (Linux). Following is what I've done, trying to
get it to work with curl.

openssl pkcs12 -in cert.12 -out cert.pem -nodes (tried many variations
of this)
curl --trace-ascii tracefile --cacert cert.pem (tried many variations of
this)
Response: <H1>403 Client Authentication Error</H1>

The cert.pem file generated by 'openssl pkcs12' includes 4 different
sections, which I was a little surprised at:
Bag Attributes: <No Attributes>
subject=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA
Certificate Authority
issuer=/C=US/ST=Illinois/L=Chicago/O=TransUnio, LLC/CN=TransUnion TUNA
Certificate Authority
----- BEGIN CERTIFICATE-----
bla, bla, bla ...
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion
TUNA Registration Authority
issuer=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA
Certificate Authority
-----BEGIN CERTIFICATE-----
bla, bla, bla...
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: TUNA Test Client Certificate
    localKeyID: 00 00 00 01
subject=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion Net
Access Client Testing
issuer=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA
Registration Authority
-----BEGIN CERTIFICATE-----
bla, bla, bla...
-----END CERTIFICATE-----
Bag Attributes
    fiiendlyName: TUNA Test Client Certificate
    localKeyID: 00 00 00 01
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
bla, bla, bla...
-----END RSA PRIVATE KEY-----

Partial Response Log (part is 'Xed' out):
About 2-3K of SSL data is exchanged, followed by
SSL connection using DES-CBC3-SHA
Server certificate:
    subject: /C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=XXX.com
    start date: 2002-03-18 06:00:00 GMT
    expire date: 2012-03-19 05:59:59 GMT
    subjectAltName: XXX.com matched
    issuer: /C=US/ST-Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion
TUNA Registration Authority
SSL certificate verify ok.
GET /?ping/ HTTP/1.1
User-Agent: bla, bla, bla
Host: XXX.com:3018
Accept: */*
HTTP/1.0 403 Client Authentication Error
CONTENT-LENGTH: 00040
CONTENT-TYPE: text/html
<H1>403 Client Authentication Error</H1>
SSLv3, TLS alert, Client hello (1):

I've got so many questions and ideas about why this is not working, I
hardly know where to begin. I've tried lots of things, including
spliting the cert.pem file up, using different command line options,
etc. I'll be happy to provide more information, if needed.

Soooooo, any and all help would be appreciated. Like I said, I'm about
googled out on this one...

Hal Williams
Williams Data Services
Received on 2005-05-21