25

I need to specify a certificate with CURL i tried with --cert option it is not working.

Could you please let me know to specify the keystore and passpharse while invoking with curl?

Adam
  • 727
  • 4
  • 11
  • 21

3 Answers3

41

Should be:

curl --cert certificate_file.pem:password https://www.example.com/some_protected_page
Welsh
  • 5,138
  • 3
  • 29
  • 43
  • 6
    Can i specify a JKS file with this option? – Adam Sep 25 '13 at 20:49
  • 3
    You can't use cURL with a **Java** KeyStore. Here is a good SO Answer that details converting it: http://stackoverflow.com/q/652916/971423 – Welsh Sep 25 '13 at 20:54
9

I went through this when trying to get a clientcert and private key out of a keystore.

The link above posted by welsh was great, but there was an extra step on my redhat distribution. If curl is built with NSS ( run curl --version to see if you see NSS listed) then you need to import the keys into an NSS keystore. I went through a bunch of convoluted steps, so this may not be the cleanest way, but it got things working

So export the keys into .p12

keytool -importkeystore -srckeystore $jksfile -destkeystore $p12file \
        -srcstoretype JKS -deststoretype PKCS12 \
        -srcstorepass $jkspassword -deststorepass $p12password  
        -srcalias $myalias -destalias $myalias \
        -srckeypass $keypass -destkeypass $keypass -noprompt

And generate the pem file that holds only the key

 echo making ${fileroot}.key.pem
 openssl pkcs12 -in $p12 -out ${fileroot}.key.pem  \
         -passin pass:$p12password  \
         -passout pass:$p12password  -nocerts
  • Make an empty keystore:
mkdir ~/nss
chmod 700 ~/nss
certutil -N -d ~/nss
  • Import the keys into the keystore
pks12util -i <mykeys>.p12 -d ~/nss -W <password for cert >

Now curl should work.

curl --insecure --cert <client cert alias>:<password for cert> \
     --key ${fileroot}.key.pem  <URL>

As I mentioned, there may be other ways to do this, but at least this was repeatable for me. If curl is compiled with NSS support, I was not able to get it to pull the client cert from a file.

  • The pks12util command doesn't exist and should be pk12util. I also had to set the nss location through: `export SSL_DIR=~/nss` – Marcel Aug 14 '20 at 04:04
5

Addition to previous answer make sure that your curl installation supports https.
You can use curl --version to get information about supported protocols.

If your curl supports https follow the previous answer.

curl --cert certificate_path:password https://www.example.com

If it does not support https, you need to install a cURL version that supports https.

vionixt
  • 121
  • 5