cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: p12 -> pem = 403 error

From: Hal Williams <hwilliams_at_numail.org>
Date: Sat, 21 May 2005 18:49:43 -0400

Just to little more info (3 different scenerios):

If I don't include any certificate stuff in the command line (--cacert
or --cert):
Lots of SSL data is sent and received
The GET command is never executed
curl: (60) SSL certificate problem, verify that the CA cert if OK.
Details:.....

If I include '--cacert cert.pem' (this seems to work the best):
Lots of SSL data is sent and received.
The server certificate is displayed followed by 'SSL certificate verify ok'
The GET command *is* executed
The web page is sucessfully downloaded, but only says '403 Client
Authentication Error' (as far as curl is concerned, everything is ok?)

If I include '--cert cert.pem':
NO SSL data is send or received
The GET command is never executed
curl: (58) unable to set private key file: 'keycert.pem' type PEM

So, I suppose the specified pem certificate is doing *something* right?

Daniel Stenberg wrote:

> On Sat, 21 May 2005, Hal Williams wrote:
>
>> I'm so stupid about this, I don't even know if the certificate 'p12'
>> I received via email is supposed to be a CA certificate, client
>> certificate, or both... remember it includes 4 different sections?
>
>
> Sorry, I didn't pay that good attention. I'm really not a wizard on
> the cert issues.
>
> Please read my following reply with that kept in mind. I might be
> completely wrong. But I hope someone can point out my mistakes if/when
> I am.
>
> Ok, here we go...
>
>> Should I provide a Pass Phrase when converting from p12 to pem?
>
>
> I guess you should.
>
>> Should I provide for curl, or be prompted by curl for a password?
>
>
> Now I _believe_ the pass phrase is for your private key, not the cert.
> I think you get both when you convert from p12.
>
>> When I successfully access the test web site via browsers, I am *not*
>> prompted for a user name or password.
>
>
> No, the browsers can deal with it in whatever way they want. But when
> you export the cert+key to PEM, you set a pass phrase to it that you
> must specify when you use the pair with curl.
>
> Note that curl's --cert (-E) option assumes a single PEM file that
> contains both the private key and your client cert. And you'll need to
> provide the pass phrase you used when you exported it from p12.
>
>> What about the fact that I *do* get the 'SSL certificate verify ok'
>> message in the curl trace file?
>
>
> That is the verification curl does of the server's certificate. It
> means that the server is verified.
>
>> And then, after all content is sent, I get the 403 error. Is this
>> common?
>
>
> Yes, if this end thinks the other is OK, but the other end thinks this
> end is bad.
>
>> Is there supposed to be enough information in the trace file to
>> deduce such things?
>
>
> The trace file can only show things that take place in this end, so it
> cannot show any debug messages regarding the server's (in)ability to
> verify your certificate.
>
Received on 2005-05-22