Curl does not take into consideration the given certificate(using --cert option)

I am trying to call an URL using curl, I used below command:

curl https://testenvironment/login --cert Qa1Certificate.pem

The result I get is:

curl: (60) Peer certificate cannot be authenticated with known CA certificates
 More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The Qa1Certificate.pem is placed in the current directory, and I believe that it is not taken into consideration because when I run the same command with a file name which does not exist:

curl https://testenvironment/login --cert ThisFileDoesNotExist.pem

I get the same result.

I am aware that I can obtain what I need using the -k or --insecure options( or other ways of disabling curl's verification of the certificate), but I want to find out how can I use the certificate in order to perform a successful GET to my test environment.

The test environment uses a self signed certificate which I obtained using openSSL.

1 answer

  • answered 2018-01-10 10:30 dave_thompson_085

    TLDR: it's --cacert

    From the man page, which should be on your system or on the web:

    -E, --cert <certificate[:password]>

    (TLS) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. [snip rest]

    Note the words 'client certificate'. --cert is used to specify a certificate and possibly key to authenticate the client, NOT to verify the server. Now consider another entry on the man page:

    --cacert

    (TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.

    This is the option to specify a cert or certs to verify (and specifically to anchor) the server's cert. Since your server cert is selfsigned, the cert is its own anchor/root and effectively is a CA cert, even though the server isn't actually a CA.

    That's why the error message you posted includes the words you can specify an alternate file using the --cacert option. It does not say --cert.

    Whether the client cert (and key) is read depends on the middleware used by the specific build of curl you are running. IME if built with OpenSSL it does give an error if you specify --cert with a nonexistent filename, but a version built with NSS (on Ubuntu 14.04LTS) gives an error only if the server requests client auth, which most servers don't.