curl-users
Re: Verifying self signed certificates
Date: Tue, 24 Jan 2012 19:08:13 -0500
On 21 January 2012 02:09, Ralph Mitchell <ralphmitchell_at_gmail.com> wrote:
> On Fri, Jan 20, 2012 at 1:08 PM, Shivam Patel <shivam.unleashed_at_gmail.com>wrote:
>
>> Hi All,
>> I need to verify the server certificate for a server that sends a self
>> signed certificate. I am using the curl command line tool.
>> I read http://curl.haxx.se/mail/archive-2011-02/0049.html in which
>> Daniel says there is no way we can do it over command line (or so I
>> inferred).
>>
>> Can someone tell me a way I can verify this certificate. As mentioned in
>>
>> http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/ , I
>> added the PEM key to my CA cert store, but even that doesn't work for me.
>>
>> I reckon the problem is that I need to add the CA certificate to the
>> certificate store (or for --cacert option) and not the Server Certificate.
>> For self signed certificate, there is no CA - does that mean that the
>> Certificate itself can be deemed as the CA certificate ?
>>
>
> I have a server at home that uses a certificate signed by my own internal
> CA, which has its own self-signed certificate. I just tried accessing the
> server with curl:
>
> curl -v https://server.domain.com/
>
> and got back
>
> * Peer certificate cannot be authenticated with known CA certificates
>
> Then I went to the server, pulled its CA cert and saved it locally and
> tried again:
>
> curl -v --cacert ca.pem https://server.domain.com/
>
> and it validated OK, so curl can definitely handle a self-signed CA.
> Actually, if you follow the CA chain from any server cert you'll find a
> self-signed certificate from Verisign, Thawte, or whomever. So, if your
> server certificate is self-signed you ought to be able to save a copy and
> use it with the --cacert flag.
>
> As I read Daniel's email that you referenced, what he's saying is that he
> doesn't know a convenient way to pull the server's CA cert rather than the
> server's own cert4l. I think this may do it:
>
> openssl s_client -showcerts -connect server.com:443 > certs.pem
>
> You can then use certs.pem in my previous curl command line.
>
> Ralph Mitchell
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
>
Ralph, Thanks for your comments.
Well I've already tried what you mentioned. It didn't work. Is it so
because there is no issuer in the CA chain for the certificate sent by the
server? Does curl expect at least one issuer CA in the CA chain ?
The certificate I am trying to validate using curl is
https://download.finratraqs.org/
I have a couple questions for this cert:
1.) Since this is a self signed cert, shouldn't "Issued to" and "Issued by"
CN fields ideally match ?
2.) If this isn't self signed, and was issued by a self signed CA, then why
isn't that CA cert showing up in the Certification path.
Any thoughts will be appreciated !
Also if anyone of you can successfully validate the cert from the
aforementioned URL, kindly share the flags/process.
Thanks
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-25