On Fri, 10 Sep 2004, Daniel Stenberg wrote:

> On Fri, 10 Sep 2004, panta-admin wrote:
>
> > How do I do that if the server uses a self signed certificate ?
>
> You bug the admin/owner of the site to create a ca cert for you to use when
> you want to verify its certificate.
>
> > Even more convenient would be if I could just get it to verify a certificate
> > against itself, i.e. the user saves the certificate from his browser, and
> > cURL just checks if the certificate from the server is the same as the saved
> > one which I pass to it via the command line.

This doesn't give you the degree of security as with a cerificate
obtained by secure method. But if you want to obtain the certificate,
the easiest way is with openssl. Just use the openssl s_client mode and
save the response. Then cut out the garbage above and below the
certificate. You can then use openssl to print out the details of the
certificate if you wish.

For example, if you wanted the certificate for xxxxx.com, do:
openssl s_client -connect xxxxx.com:443 |tee xxxxx.com.log

Then type "QUIT", followed by the "ENTER" key. The certificate will have
"BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

If you want to see the data in the certificate, you can do:
openssl x509 -inform PEM -in xxxxx.com.cert -text -out xxxxx.com.cert1
where xxxxx.com.cert is the cert you extracted from xxxxx.com.log. Look
in xxxxx.com.cert1.

If you want to trust the certificate, you can append it to your
cert_bundle. Just remember that the security is no better than the way
you obtained the certificate.

                           Doug

-- 
Doug Kaufman
Internet: dkaufman_at_rahul.net