Wednesday, September 7, 2011

Using the nsstools to manage SSL stores for curl

While working on today's research project I also needed to test with curl. Sadly in my environment curl was built with NSS support which caused me some grief. I had never used NSS-enabled apps before and didn't know how to deal with their certificate and private key database.

I do now. I installed the NSS command line tools via yum ("yum install nss-tools").

This is how I created the certificate database and imported the CA's certificate, marking it as trusted for web sites in the process:

[ec2-user@ssltest ~]$ mkdir ~/ssl_dir
[ec2-user@ssltest ~]$ export SSL_DIR=~/ssl_dir
[ec2-user@ssltest ~]$ certutil -N -d ~/ssl_dir
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[ec2-user@ssltest ~]$ certutil -A -n ca -i ~/ca/ca.crt -t TC -d ~/ssl_dir
[ec2-user@ssltest ~]$ certutil -L -d ~/ssl_dir

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca                                                           CT,,
[ec2-user@ssltest ~]$ curl https://ssltest.oracleateam.com/
Index page.

Then I imported the client certificate, turned cert verification back on and tested again:

[ec2-user@ssltest ~]$ pk12util -i ~/ca/tester.p12 -d ~/ssl_dir
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
[ec2-user@ssltest ~]$
[ec2-user@ssltest ~]$ certutil -L -d ~/ssl_dir

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca                                                           CT,,
tester                                                       u,u,u
[ec2-user@ssltest ~]$ curl -E tester:ABcd1234 https://ssltest.oracleateam.com/
Index page.
Notice how I used the p12 file? Yeah, good thing I updated my CA script to generate that file too!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.