[Pki-devel] [resolved] Talking to PKI-CA via Curl

Kashyap Chamarthy kchamart at redhat.com
Fri Sep 16 10:00:24 UTC 2011


On 09/16/2011 02:46 PM, Kashyap Chamarthy wrote:
> On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote:
>> On 09/15/2011 10:57 PM, Adam Young wrote:
>>> Some of you may be interested:
>>>
>>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>>
>>> Here's the short of it: once you have an NSS database set up, you can do something like:
>>>
>>> curl --cacert ./CA.crt  \
>>>      --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID"  \
>>>      https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>>>      --pass freeipa4all
>>
>>
>> After setting the env variable SSL_DIR, I notice a
>> 'peer certificate cannot be authenticated with known CA certificates'
>>
>> What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates
>> that it's referring to it's internal CA certs "bundle" ?
>>
>>
>> ############################################################################
>> kashyap at temp$ env | grep SSL_DIR
>> SSL_DIR=/var/tmp/temp/
>> kashyap at temp$
>> ############################################################################
>> kashyap at temp$ curl --cacert CA.crt --pass redhat  --cert "CA Administrator of Instance
>> pki-ca1-sep6's domaindrmtool1 ID"
>> "https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
>> curl: (60) Peer certificate cannot be authenticated with known CA certificates
>> More details here: http://curl.haxx.se/docs/sslcerts.html
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>>  of Certificate Authority (CA) public keys (CA certs). If the default
>>  bundle file isn't adequate, you can specify an alternate file
>>  using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>>  the bundle, the certificate verification probably failed due to a
>>  problem with the certificate (it might be expired, or the name might
>>  not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>>  the -k (or --insecure) option.
>> kashyap at temp$
>> ######################################################################
>> kashyap at temp$ certutil -L -d .
>>
>> Certificate Nickname                                         Trust Attributes
>>                                                              SSL,S/MIME,JAR/XPI
>>
>> Certificate Authority - domaindrmtool1                       ,,
>> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
>> kashyap at temp$
>> ######################################################################

CA cert is the culprit. It doesn't have right trust attributes.

This does the trick
#############
$ certutil -M -d . -n "Certificate Authority - domaindrmtool1" -t "CT,,"
#############
>>
>> Though, if I pass the '--insecure' option as curl says above, I can get the desired
>> output, but that beats the point.
> 
> Verbose info says 'untrusted issuer' . Trying to dig more..
> ####################################################################################
> kashyap at temp$ curl --verbose  --cacert CA.crt --pass redhat  --cert "CA Administrator of
> Instance pki-ca1-sep6's domaindrmtool1 ID"
> "https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
> 
> * About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0)
> *   Trying 10.65.201.38... connected
> * Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0)
> * Initializing NSS with certpath: /var/tmp/temp/
> *   CAfile: CA.crt
>   CApath: none
> * Certificate is signed by an untrusted issuer: 'CN=Certificate
> Authority,OU=pki-ca1-sep6,O=domaindrmtool1'
> * NSS error -8172
> * Closing connection #0
> * Peer certificate cannot be authenticated with known CA certificates
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). If the default
>  bundle file isn't adequate, you can specify an alternate file
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.
> kashyap at temp$
> ####################################################################################
> 
>>
>>
>>
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>>
>>
>>
> 
> 


-- 
/kashyap




More information about the Pki-devel mailing list