Login/Register
cURL with a PKCS#12 certificate in a bash script
Asked Answered
bashcurlopensslpkcs#12
Y

4

67

i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).

i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?

i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.

converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:

openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys

any hints? or, any alternatives to curl? the solution should be commandline based.

Yea answered 27/8, 2015 at 15:43 Comment(0)
A
100

I think you have already resolved but I had the same problem. I answer to share my solution.

If you have a .p12 file your approach is right. First of all, you have to get the cert and the key separated from the p12 file. As an example, if you have a mycert.p12 file execute

openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys

Then you have to make the call to your url. For instance, assume that you want to get the WSDL of a specific web service

curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl

If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.

Astrionics answered 25/11, 2015 at 10:45 Comment(3)
For me this worked: curl -k --cert ./file.crt.pem --cert-type PEM --key ./file.key.pem --key-type PEM --pass <ImportPassword> "<HTTPS_URL>"Airborne
Just letting people know here that if you use curl -k as Kartins used in the comment above, you are disabling https checks.Enjambment
also, using -nodes disables encryption which means you are taking your private key out of a password-protected encrypted file and storing it as an unprotected, unencrypted file; some versions of curl support encrypted PEM files, so -nodes may not even be necessaryReames
N
87

Check if you have a newer curl. Newer versions can handle PKCS12 outright.

Tangentially, quote the password, or individually escape all shell metacharacters.

curl --cert-type P12 --cert cert.p12:'password' https://yoursite.com
Nicosia answered 28/4, 2019 at 13:49 Comment(8)
you may have to add "--insecure" curl --insecure --cert-type P12 --cert cert.p12:password yoursite.comRobbery
@Robbery it kinda defeats the purpose of secure connectivityNicosia
you are correct, however in my case it was required. Working for company X, they have a cert and use it internally, its not registered with CA. without this flag i can't use curl nor postman.Robbery
@Robbery Using --insecure is not required. When using a private CA, use the private CA's private CA certificate, not --insecure.Zilpah
@mancocapac, thanks with --insecure it worked fro meNodab
People are confusing your identify, ie. saying who you are to the server (using a client certificate via the cert argument) and trusting the server is who it says it is. The insecure argument is about trust and the correct solution here is to use the cacert argument pointing at the root (and possibly intermediate) CA certificates for the server. Simply adding insecure or k is completely defeating the whole point of TLS as you are just bypassing itQuiroz
@Nicosia - do you know what version this was added by chance?Boccie
See for example this commit in curl repo : github.com/curl/curl/commit/…Facture
L
7

bioffes answer is correct.

He was suggesting to do:

curl --cert-type P12 --cert cert.p12:password https://yoursite.com

For some reason that didn't work for me. I was getting:

curl could not open PKCS12 file

I just ended up exporting the p12 file without a password and then used the following format:

curl --cert-type P12 --cert cert.p12 https://yoursite.com

You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and search for the option by typing /cert-typeEnter. Here's what the manual says for me:

--cert-type <type>

(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.

If this option is used several times, the last one will be used.

Lankton answered 12/12, 2020 at 22:6 Comment(1)
first command with password works as long as the password is correct else you get the error.Selig
T
0

Here is an excerpt from the curl manpage:

--cert-type

(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recog‐ nized types. If not specified, PEM is assumed.

If this option is used several times, the last one will be used.

See also -E, --cert and --key and --key-type.

-E, --cert <certificate[:password]>

(TLS) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if using any other engine. If the optional password isn't specified, it will be queried for on the terminal. Note that this option assumes a "certificate" file that is the private key and the client certificate concatenated! See -E, --cert and --key to specify them independently.

If curl is built against the NSS SSL library then this option can tell curl the nickname of the certificate to use within the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded. If you want to use a file from the current directory, please precede it with "./" prefix, in order to avoid confusion with a nickname. If the nickname contains ":", it needs to be preceded by "\" so that it is not recognized as password delimiter. If the nickname contains "\", it needs to be escaped as "\\" so that it is not recognized as an escape character.

Theomancy answered 7/8, 2023 at 4:35 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.