curl / Mailing Lists / curl-users / Single Mail


How to send an intermediate for a client certificate to the server.

From: James Short <>
Date: Wed, 31 Oct 2018 09:54:22 -0700

I'm trying to test mTLS with curl/nginx. The server side client
verification is going fine as my system ca-certs has the relevant root for
the server cert/inter chain nginx is sending to curl. However, I have a
client cert/inter chain that I'm passing via --cert and only the client
cert (first pem entry) is sent to the server.

With openssl s_client, I can use -CAfile to include the intermediate as it
is only used for client cert verification. With curl, if I put the
intermediate for the client cert in a file and point to it with --cacert,
then *server* certificate validation fails because the root for the server
cert validation is no longer there.

The workaround is to concatenate my system root and my client cert
intermediate into a new file and point to it with --cacert. This tells me
that --cacert is used for building/verifying both server and client
certificate chains.

Is this expected? Is there a simpler way to ensure that my client cert and
intermediate are sent to the server for mTLS verification?

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.34 zlib/1.2.7
libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz



Received on 2018-10-31