While working on
today's research project I also needed to test with curl. Sadly in my environment curl was built with NSS support which caused me some grief. I had never used NSS-enabled apps before and didn't know how to deal with their certificate and private key database.
I do now.
I installed the NSS command line tools via yum ("yum install nss-tools").
This is how I created the certificate database and imported the CA's certificate, marking it as trusted for web sites in the process:
[ec2-user@ssltest ~]$ mkdir ~/ssl_dir
[ec2-user@ssltest ~]$ export SSL_DIR=~/ssl_dir
[ec2-user@ssltest ~]$ certutil -N -d ~/ssl_dir
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[ec2-user@ssltest ~]$ certutil -A -n ca -i ~/ca/ca.crt -t TC -d ~/ssl_dir
[ec2-user@ssltest ~]$ certutil -L -d ~/ssl_dir
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca CT,,
[ec2-user@ssltest ~]$ curl https://ssltest.oracleateam.com/
Index page.
Then I imported the client certificate, turned cert verification back on and tested again:
[ec2-user@ssltest ~]$ pk12util -i ~/ca/tester.p12 -d ~/ssl_dir
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
[ec2-user@ssltest ~]$
[ec2-user@ssltest ~]$ certutil -L -d ~/ssl_dir
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca CT,,
tester u,u,u
[ec2-user@ssltest ~]$ curl -E tester:ABcd1234 https://ssltest.oracleateam.com/
Index page.
Notice how I used the p12 file? Yeah, good thing I updated my CA script to generate that file too!
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.