Products Resources Support About Us

cURL Certificate Question

I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?

Thanks

Hi,

I will write “small” instruction.

  1. You have to know about two cURL’s keywords:
    –cacert
    Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
    curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
    The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
    If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
    If this option is used several times, the last one will be used.

–capath
Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.

  1. You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.

  2. Examples:
    a) CURL_CA_BUNDLE isn’t set.

curl -v https://godaddy.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

Failed.

b) CURL_CA_BUNDLE isn’t set.

curl -kv https://godaddy.com

c) CURL_CA_BUNDLE isn’t set.
Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.

curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt

d) CURL_CA_BUNDLE set.

export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
curl -v https://godaddy.com

  1. Links - useful information:
    https://curl.haxx.se/docs/manpage.html#--cacert
    https://curl.haxx.se/docs/sslcerts.html

Thanks,
Andrey

This is a great description of the process. One thing I don’t understand know is if RACF, TopSecret and ACF2 certificates are in PEM format? Also - since they are normally in datasets, what’s the right way to get them into these directories so they can be read by curl?

Hello Mike,

I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.

You can probably export them with the RACDCERT EXPORT command as described here:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm

It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.

Regards,
Vladimir