[Pki-devel] Talking to PKI-CA via Curl

Kashyap Chamarthy kchamart at redhat.com
Fri Sep 16 09:16:08 UTC 2011 

On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote:
> On 09/15/2011 10:57 PM, Adam Young wrote:
>> Some of you may be interested:
>>
>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>
>> Here's the short of it: once you have an NSS database set up, you can do something like:
>>
>> curl --cacert ./CA.crt  \
>>      --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID"  \
>>      https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>>      --pass freeipa4all
> 
> 
> After setting the env variable SSL_DIR, I notice a
> 'peer certificate cannot be authenticated with known CA certificates'
> 
> What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates
> that it's referring to it's internal CA certs "bundle" ?
> 
> 
> ############################################################################
> kashyap at temp$ env | grep SSL_DIR
> SSL_DIR=/var/tmp/temp/
> kashyap at temp$
> ############################################################################
> kashyap at temp$ curl --cacert CA.crt --pass redhat  --cert "CA Administrator of Instance
> pki-ca1-sep6's domaindrmtool1 ID"
> "https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). If the default
>  bundle file isn't adequate, you can specify an alternate file
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.
> kashyap at temp$
> ######################################################################
> kashyap at temp$ certutil -L -d .
> 
> Certificate Nickname                                         Trust Attributes
>                                                              SSL,S/MIME,JAR/XPI
> 
> Certificate Authority - domaindrmtool1                       ,,
> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
> kashyap at temp$
> ######################################################################
> 
> Though, if I pass the '--insecure' option as curl says above, I can get the desired
> output, but that beats the point.

Verbose info says 'untrusted issuer' . Trying to dig more..
####################################################################################
kashyap at temp$ curl --verbose  --cacert CA.crt --pass redhat  --cert "CA Administrator of
Instance pki-ca1-sep6's domaindrmtool1 ID"
"https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"

* About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0)
*   Trying 10.65.201.38... connected
* Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0)
* Initializing NSS with certpath: /var/tmp/temp/
*   CAfile: CA.crt
  CApath: none
* Certificate is signed by an untrusted issuer: 'CN=Certificate
Authority,OU=pki-ca1-sep6,O=domaindrmtool1'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
kashyap at temp$
####################################################################################

> 
> 
> 
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
> 
> 


-- 
/kashyap

More information about the Pki-devel mailing list