cURL / Mailing Lists / curl-users / Single Mail

curl-users

SSL: Verify cert is OK?

From: Andy Theuninck <gohanman_at_gmail.com>
Date: Wed, 23 Jul 2008 13:36:43 -0500

I'm trying to create my own ca-bundle as described on
http://curl.haxx.se/docs/sslcerts.html

I obtained the certificate like this:
$ openssl s_client -connect www.domain.com:443 |tee logfile

I copied the certificate (including BEGIN and END lines) to a new
file, domain.cert

I then generated what I *think* is a ca file thusly:
$ openssl x509 -inform PEM -in domain.cert -text -out certdata

If I try to use this certificate file, I get an error:
$ curl --ca-cert certdata https://www.domain.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

The linked document, unfortunately, does not describe HOW I verify the
cert is OK. I also don't know if the output from the 2nd openssl
command is in the correct format. My curl installation doesn't seem to
have a default bundle to compare against. Also, the bundles linked @
http://curl.haxx.se/docs/caextract.html are actually 2KB files
containing nothing but comments...
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2008-07-23