On Sat, 21 May 2005, Hal Williams wrote:

> I'm so stupid about this, I don't even know if the certificate 'p12' I
> received via email is supposed to be a CA certificate, client certificate,
> or both... remember it includes 4 different sections?

Sorry, I didn't pay that good attention. I'm really not a wizard on the cert
issues.

Please read my following reply with that kept in mind. I might be completely
wrong. But I hope someone can point out my mistakes if/when I am.

Ok, here we go...

> Should I provide a Pass Phrase when converting from p12 to pem?

I guess you should.

> Should I provide for curl, or be prompted by curl for a password?

Now I _believe_ the pass phrase is for your private key, not the cert. I
think you get both when you convert from p12.

> When I successfully access the test web site via browsers, I am *not*
> prompted for a user name or password.

No, the browsers can deal with it in whatever way they want. But when you
export the cert+key to PEM, you set a pass phrase to it that you must specify
when you use the pair with curl.

Note that curl's --cert (-E) option assumes a single PEM file that contains
both the private key and your client cert. And you'll need to provide the pass
phrase you used when you exported it from p12.

> What about the fact that I *do* get the 'SSL certificate verify ok' message
> in the curl trace file?

That is the verification curl does of the server's certificate. It means that
the server is verified.

> And then, after all content is sent, I get the 403 error. Is this common?

Yes, if this end thinks the other is OK, but the other end thinks this end is
bad.

> Is there supposed to be enough information in the trace file to deduce such
> things?

The trace file can only show things that take place in this end, so it cannot
show any debug messages regarding the server's (in)ability to verify your
certificate.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html