Wednesday, October 21, 2015

Using curl with SSL cert chain

You can use the --insecure option to curl without SSL checks

curl --insecure -u user:passwd -X GET -H 'Content-Type: application/json' "https//somesecureserver.com/rest/field"


But what if you WANT to use SSL? The curl docs mentions the --cacert option, but its still a little unclear on how to do this.

First you'll need to get the entire certificate path to the https server. You need the entire path because curl does not come with any CA cert info. The cacert option also requires the cert in pem format. Lastly the entire certificate chain should be in 1 file, since the cacert option accepts only 1 file.

1. Get the all the certs from a browser

Get this by clicking on the Lock or Green portion from the address bar


Click on the Connection tab and then "Certificate Information"
Click on the Details tab. Here you can Copy this to a file.
Select the DER encoded binary x.509(.cer) option


Do this for all the entries that show up  in the Certificate Path tab (there will be around 3)


2. Convert the .cer files to PEM format with openssl:

openssl x509 -inform DES -in file1.cer -out file1.pem -text
openssl x509 -inform DES -in file2.cer -out file2.pem -text
openssl x509 -inform DES -in file3.cer -out file3.pem -text

3. Now append all these pem files into one repo

cat *.pem > certRepo

Now you can use the certRepo to connect via SSL

curl --cacert certRepo -u user:passwd -X GET -H 'Content-Type: application/json' "https//somesecureserver.com/rest/field"

8 comments:

  1. Hi..
    Need to know the purpose of passing the userName and password? Certificate shouldn't be enough? And what if I am writing a Java client to hit a https url, do I need to pass the username and password in the GET request header?please do suggest

    ReplyDelete
  2. Wow, that was helpful. Thanks a lot! Is there a resource somewhere that explains the theorical background of all these steps?

    ReplyDelete
  3. a BIG THANKS. you are AWESOME !!

    ReplyDelete
  4. There is a typo, it needs ":" between "https" and "/somesecureserver.com/..."
    Other than that, thank you for this article!

    ReplyDelete
  5. I have two questions: first, this path to the https server, are you combining the certificate chain of the server that you are hitting or is it the server from which the connect is made?

    The reason I ask this is the following: If it is the certificate of the server I am hitting e.g google..com, what will the password in user:passwd be?

    ReplyDelete