[Pki-devel] [resolved] Talking to PKI-CA via Curl
Adam Young
ayoung at redhat.com
Fri Sep 16 14:05:58 UTC 2011
On 09/16/2011 06:00 AM, Kashyap Chamarthy wrote:
> On 09/16/2011 02:46 PM, Kashyap Chamarthy wrote:
>> On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote:
>>> On 09/15/2011 10:57 PM, Adam Young wrote:
>>>> Some of you may be interested:
>>>>
>>>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>>>
>>>> Here's the short of it: once you have an NSS database set up, you can do something like:
>>>>
>>>> curl --cacert ./CA.crt \
>>>> --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID" \
>>>> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>>>> --pass freeipa4all
>>>
>>> After setting the env variable SSL_DIR, I notice a
>>> 'peer certificate cannot be authenticated with known CA certificates'
>>>
>>> What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates
>>> that it's referring to it's internal CA certs "bundle" ?
>>>
>>>
>>> ############################################################################
>>> kashyap at temp$ env | grep SSL_DIR
>>> SSL_DIR=/var/tmp/temp/
>>> kashyap at temp$
>>> ############################################################################
>>> kashyap at temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of Instance
>>> pki-ca1-sep6's domaindrmtool1 ID"
>>> "https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
>>> curl: (60) Peer certificate cannot be authenticated with known CA certificates
>>> More details here: http://curl.haxx.se/docs/sslcerts.html
>>>
>>> curl performs SSL certificate verification by default, using a "bundle"
>>> of Certificate Authority (CA) public keys (CA certs). If the default
>>> bundle file isn't adequate, you can specify an alternate file
>>> using the --cacert option.
>>> If this HTTPS server uses a certificate signed by a CA represented in
>>> the bundle, the certificate verification probably failed due to a
>>> problem with the certificate (it might be expired, or the name might
>>> not match the domain name in the URL).
>>> If you'd like to turn off curl's verification of the certificate, use
>>> the -k (or --insecure) option.
>>> kashyap at temp$
>>> ######################################################################
>>> kashyap at temp$ certutil -L -d .
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> Certificate Authority - domaindrmtool1 ,,
>>> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
>>> kashyap at temp$
>>> ######################################################################
> CA cert is the culprit. It doesn't have right trust attributes.
>
> This does the trick
> #############
> $ certutil -M -d . -n "Certificate Authority - domaindrmtool1" -t "CT,,"
> #############
That explains why I had to use the CA cert outside the DB,
>>> Though, if I pass the '--insecure' option as curl says above, I can get the desired
>>> output, but that beats the point.
>> Verbose info says 'untrusted issuer' . Trying to dig more..
>> ####################################################################################
>> kashyap at temp$ curl --verbose --cacert CA.crt --pass redhat --cert "CA Administrator of
>> Instance pki-ca1-sep6's domaindrmtool1 ID"
>> "https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
>>
>> * About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0)
>> * Trying 10.65.201.38... connected
>> * Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0)
>> * Initializing NSS with certpath: /var/tmp/temp/
>> * CAfile: CA.crt
>> CApath: none
>> * Certificate is signed by an untrusted issuer: 'CN=Certificate
>> Authority,OU=pki-ca1-sep6,O=domaindrmtool1'
>> * NSS error -8172
>> * Closing connection #0
>> * Peer certificate cannot be authenticated with known CA certificates
>> curl: (60) Peer certificate cannot be authenticated with known CA certificates
>> More details here: http://curl.haxx.se/docs/sslcerts.html
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>> kashyap at temp$
>> ####################################################################################
>>
>>>
>>>
>>>>
>>>> _______________________________________________
>>>> Pki-devel mailing list
>>>> Pki-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>>>
>>>
>>
>
More information about the Pki-devel
mailing list