Wednesday, October 21, 2015

Using curl with SSL cert chain

You can use the --insecure option to curl without SSL checks

curl --insecure -u user:passwd -X GET -H 'Content-Type: application/json' "https//"

But what if you WANT to use SSL? The curl docs mentions the --cacert option, but its still a little unclear on how to do this.

First you'll need to get the entire certificate path to the https server. You need the entire path because curl does not come with any CA cert info. The cacert option also requires the cert in pem format. Lastly the entire certificate chain should be in 1 file, since the cacert option accepts only 1 file.

1. Get the all the certs from a browser

Get this by clicking on the Lock or Green portion from the address bar

Click on the Connection tab and then "Certificate Information"
Click on the Details tab. Here you can Copy this to a file.
Select the DER encoded binary x.509(.cer) option

Do this for all the entries that show up  in the Certificate Path tab (there will be around 3)

2. Convert the .cer files to PEM format with openssl:

openssl x509 -inform DES -in file1.cer -out file1.pem -text
openssl x509 -inform DES -in file2.cer -out file2.pem -text
openssl x509 -inform DES -in file3.cer -out file3.pem -text

3. Now append all these pem files into one repo

cat *.pem > certRepo

Now you can use the certRepo to connect via SSL

curl --cacert certRepo -u user:passwd -X GET -H 'Content-Type: application/json' "https//"