[Pki-devel] Talking to PKI-CA via Curl

Adam Young ayoung at redhat.com
Fri Sep 16 13:52:35 UTC 2011 

On 09/15/2011 11:34 PM, Kashyap Chamarthy wrote:
> On 09/15/2011 10:57 PM, Adam Young wrote:
>> Some of you may be interested:
>>
>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>
>> Here's the short of it: once you have an NSS database set up, you can do something like:
>>
>> curl --cacert ./CA.crt  \
>>       --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID"  \
>>       https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>>       --pass freeipa4all
>
> After setting the env variable SSL_DIR, I notice a
> 'peer certificate cannot be authenticated with known CA certificates'
>
> What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates
> that it's referring to it's internal CA certs "bundle" ?

Al  I can think is that it is an RHEL 5 Curl issue.  Use the curl -vv 
option to get more debugging information.

>
> ############################################################################
> kashyap at temp$ env | grep SSL_DIR
> SSL_DIR=/var/tmp/temp/
> kashyap at temp$
> ############################################################################
> kashyap at temp$ curl --cacert CA.crt --pass redhat  --cert "CA Administrator of Instance
> pki-ca1-sep6's domaindrmtool1 ID"
> "https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
>   of Certificate Authority (CA) public keys (CA certs). If the default
>   bundle file isn't adequate, you can specify an alternate file
>   using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>   the bundle, the certificate verification probably failed due to a
>   problem with the certificate (it might be expired, or the name might
>   not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>   the -k (or --insecure) option.
> kashyap at temp$
> ######################################################################
> kashyap at temp$ certutil -L -d .
>
> Certificate Nickname                                         Trust Attributes
>                                                               SSL,S/MIME,JAR/XPI
>
> Certificate Authority - domaindrmtool1                       ,,
> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
> kashyap at temp$
> ######################################################################
>
> Though, if I pass the '--insecure' option as curl says above, I can get the desired
> output, but that beats the point..
>
>
>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>

More information about the Pki-devel mailing list