cURL / Mailing Lists / curl-users / Single Mail


Re: Verifying self signed certificates

From: Ralph Mitchell <>
Date: Tue, 24 Jan 2012 21:31:09 -0500

On Tue, Jan 24, 2012 at 7:08 PM, Shivam Patel <>wrote:

> On 21 January 2012 02:09, Ralph Mitchell <> wrote:
>> On Fri, Jan 20, 2012 at 1:08 PM, Shivam Patel <
>> > wrote:
>>> Hi All,
>>> I need to verify the server certificate for a server that sends a self
>>> signed certificate. I am using the curl command line tool.
>>> I read in which
>>> Daniel says there is no way we can do it over command line (or so I
>>> inferred).
>>> Can someone tell me a way I can verify this certificate. As mentioned in
>>> , I
>>> added the PEM key to my CA cert store, but even that doesn't work for me.
>>> I reckon the problem is that I need to add the CA certificate to the
>>> certificate store (or for --cacert option) and not the Server Certificate.
>>> For self signed certificate, there is no CA - does that mean that the
>>> Certificate itself can be deemed as the CA certificate ?
>> I have a server at home that uses a certificate signed by my own internal
>> CA, which has its own self-signed certificate. I just tried accessing the
>> server with curl:
>> curl -v
>> and got back
>> * Peer certificate cannot be authenticated with known CA certificates
>> Then I went to the server, pulled its CA cert and saved it locally and
>> tried again:
>> curl -v --cacert ca.pem
>> and it validated OK, so curl can definitely handle a self-signed CA.
>> Actually, if you follow the CA chain from any server cert you'll find a
>> self-signed certificate from Verisign, Thawte, or whomever. So, if your
>> server certificate is self-signed you ought to be able to save a copy and
>> use it with the --cacert flag.
>> As I read Daniel's email that you referenced, what he's saying is that he
>> doesn't know a convenient way to pull the server's CA cert rather than the
>> server's own cert4l. I think this may do it:
>> openssl s_client -showcerts -connect > certs.pem
>> You can then use certs.pem in my previous curl command line.
>> Ralph Mitchell
>> -------------------------------------------------------------------
>> List admin:
>> FAQ:
>> Etiquette:
> Ralph, Thanks for your comments.
> Well I've already tried what you mentioned. It didn't work. Is it so
> because there is no issuer in the CA chain for the certificate sent by the
> server? Does curl expect at least one issuer CA in the CA chain ?
> The certificate I am trying to validate using curl is
> I have a couple questions for this cert:
> 1.) Since this is a self signed cert, shouldn't "Issued to" and "Issued
> by" CN fields ideally match ?
> 2.) If this isn't self signed, and was issued by a self signed CA, then
> why isn't that CA cert showing up in the Certification path.
> Any thoughts will be appreciated !
> Also if anyone of you can successfully validate the cert from the
> aforementioned URL, kindly share the flags/process.

 It's not a self-signed certificate. The certificate shows:

openssl x509 -noout -in finratraqs.pem -issuer -subject
issuer= /CN=NasdaqOMX Web Security Framework
subject= /C=US/ST=New York/L=New York/O=Nasdaq Stock Market/OU=Nasdaq

You'd need the certificate from the issuer, and possibly its issuer, going
back to a CA cert somewhere, to be able to validate the entire chain.

Perhaps more importantly, when I go to that web page in Firefox and accept
the certificate exception, the page I get back just has:

           "You do not have permission to view this directory or page
             using the credentials that you supplied."

The last few words, "credentials that you supplied", suggest to me that I
should login with a userid and password on some other web page, be handed a
cookie or other token, and then be transferred to the download site. Or
possibly I ought to have a certificate or smart card in order to
authenticate to the download server.

Ralph Mitchell

List admin:
Received on 2012-01-25