Вход в личный кабинет Curl with a pkcs#12 certificate in a bash script
i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven’t successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeysany hints? or, any alternatives to curl? the solution should be commandline based.
How to trust self-signed certificate in curl command line?
I had this issue, exact same problem and error messages, but I used GNUTLS’s certtool to generate my cert rather than openssl.
My problem was that I had not made my self signed cert a CA. It was only configured to act as a web server cert. Which is all I wanted to do with it and I wasn’t going to use it as a CA to sign other certs.
But when you want to add a cert into the trust chain as the Issuer of other certs, that cert must be a CA, or it’s rejected by openssl!
With certtool -i < mycert.crt, one needs to see this:
Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUETry adding -addext basicConstraints=critical,CA:TRUE,pathlen:1 to your openssl command or modifying your cnf file to the same effect.
Or, use certtool, it’s much easier for one-off cert generation:
certtool -p --outfile localhost.key
certtool -s --load-privkey localhost.key --outfile localhost.crtAnd then answer the prompts to supply the cert’s CN and so on. And say yes when asked if it’s for a certificate authority!
Php, curl — работа с сертификатами
В процессе интеграции веб приложений с другими приложениями, зачастую, может возникнуть задача:
- Идентифицировать удаленный сервер, используя сертификат .cer.
- Идентифицировать себя для удаленного сервера, используя сертификат .pfx
- Передать данные, используя curl
Для решения этой задачи средствами php – curl, нам требуется иметь сертификаты в формате: .crt и .pem
Воспользуемся программой openssl.
После скачивания и установки, переконвертируем сначала клиентский сертификат
V:sslbinopenssl.exe pkcs12 -in V:sslcert.pfx -out V:sslcert.key
V:sslbinopenssl.exe rsa -in V:sslcert.key -out V:sslcert.pem
V:sslbinopenssl.exe x509 -in V:sslcert.key >> V:sslcert.pem
V:ssl — путь где установлена программа openssl и там же лежат наши сертификаты.
После второй команды наc попросят указать наш текущий пароль и задать новый. Новый пароль, мы будем использовать далее.
А теперь серверный:
V:sslbinopenssl.exe x509 -in V:sslcert.cer -inform DER -out V:sslcert.crt -outform PEM
Все готово. Теперь, используя CURL соединение, подключимся к удаленному серверу.
Например:
curl_setopt($ch, CURLOPT_URL, ‘https://xxx.xxx.xxx.xxx/’);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
В настройках CURL-соединения следует указать:
curl_setopt($ch, CURLOPT_VERBOSE, ‘1’);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, ‘1’);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_CAINFO, ‘путь к .crt файлу’);
curl_setopt($ch, CURLOPT_SSLCERT, ‘путь к .pem файлу’);
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, ‘новый пароль’);
Using curl in php with client certificate and private key in separate files
I need some assistance rewriting this PHP curl code that uses *.pem (CA cert), Client cert and private key in one file:
curl_setopt($curl, CURLOPT_URL, $this->url);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_SSLCERT, $this->keystore);
curl_setopt($curl, CURLOPT_CAINFO, $this->keystore);
curl_setopt($curl, CURLOPT_SSLKEYPASSWD, $this->keystorepassword);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);So it could use CA certificate, Client Certificate and Private Key in separate files.
As in this command-line example:
curl -d "var1=value1&var2=value2&..." -G -v --key key.pem --cacert ca.pem --cert client.pem:xxxxxx https://www.somesite.com/page