Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using curl -with --cert

I'm using cUrl to request data from a corporate website site using a .cer certificate that they sent me. This is the command:

cUrl --header "Content-Type: text/xml;charset=UTF-8" \
     --data @bustaRequestISEE2015ConsultazioneAttestazione.xml \
     -o bustaResponseISEE2015ConsultazioneAttestazione.xml \
     --cert ./caaffabisrl.cer \
     https://istitutonazionaleprevidenzasociale.spcoop.gov.it/PD

When I run it, I get this error message:

curl: (58) could not load PEM client certificate, OpenSSL error error:0906D06C:PEM routines:PEM_read_bio:no start line, (no key found, wrong pass phrase, or wro ng file format?)

Is there anybody who can help me?

Tks, Cristiano.

like image 717
Cristiano Ansaloni Avatar asked Apr 05 '16 15:04

Cristiano Ansaloni


People also ask

Does curl use CA certificates?

libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid.

How do I check if a curl certificate is valid?

You can check if the correct root certificate is installed by querying our platform using the following cURL command: curl --verbose https://live.cardeasexml.com/ultradns.php . If the connection is successful and verified by the root certificate, you will see the following entry below.


1 Answers

It is not possible to connect to a TLS server with curl using only a client certificate, without the client private key. Either they forgot to send you the private key file, or, what they sent you was not the client certificate but the server certificate for verification.

The first thing I would try is using --cacert instead of --cert. That is, tell curl that this is the server's certificate that curl can use to verify that the server is who you think it is.

You can also try removing --cert and not using --cacert, and you will probably get an error that the server is not trusted. Then add the --insecure argument and see if that works. I would not keep that argument, as then you have no proof of who you are talking to.

My guess is that it is the server cert, and that using --cacert instead of --cert will solve the problem.

like image 67
Jim Flood Avatar answered Oct 22 '22 08:10

Jim Flood