[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] Talking to PKI-CA via Curl



On 09/15/2011 11:34 PM, Kashyap Chamarthy wrote:
On 09/15/2011 10:57 PM, Adam Young wrote:
Some of you may be interested:

http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/

Here's the short of it: once you have an NSS database set up, you can do something like:

curl --cacert ./CA.crt  \
      --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID"  \
      https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
      --pass freeipa4all

After setting the env variable SSL_DIR, I notice a
'peer certificate cannot be authenticated with known CA certificates'

What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates
that it's referring to it's internal CA certs "bundle" ?

Al I can think is that it is an RHEL 5 Curl issue. Use the curl -vv option to get more debugging information.


############################################################################
kashyap temp$ env | grep SSL_DIR
SSL_DIR=/var/tmp/temp/
kashyap temp$
############################################################################
kashyap temp$ curl --cacert CA.crt --pass redhat  --cert "CA Administrator of Instance
pki-ca1-sep6's domaindrmtool1 ID"
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3";
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
  of Certificate Authority (CA) public keys (CA certs). If the default
  bundle file isn't adequate, you can specify an alternate file
  using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
  the bundle, the certificate verification probably failed due to a
  problem with the certificate (it might be expired, or the name might
  not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
  the -k (or --insecure) option.
kashyap temp$
######################################################################
kashyap temp$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

Certificate Authority - domaindrmtool1                       ,,
CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
kashyap temp$
######################################################################

Though, if I pass the '--insecure' option as curl says above, I can get the desired
output, but that beats the point..




_______________________________________________
Pki-devel mailing list
Pki-devel redhat com
https://www.redhat.com/mailman/listinfo/pki-devel




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]