Re: Verifying self signed certificates
Date: Tue, 24 Jan 2012 21:31:09 -0500
On Tue, Jan 24, 2012 at 7:08 PM, Shivam Patel <shivam_at_shivampatel.net>wrote:
> On 21 January 2012 02:09, Ralph Mitchell <ralphmitchell_at_gmail.com> wrote:
>> On Fri, Jan 20, 2012 at 1:08 PM, Shivam Patel <shivam.unleashed_at_gmail.com
>> > wrote:
>>> Hi All,
>>> I need to verify the server certificate for a server that sends a self
>>> signed certificate. I am using the curl command line tool.
>>> I read http://curl.haxx.se/mail/archive-2011-02/0049.html in which
>>> Daniel says there is no way we can do it over command line (or so I
>>> Can someone tell me a way I can verify this certificate. As mentioned in
>>> http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/ , I
>>> added the PEM key to my CA cert store, but even that doesn't work for me.
>>> I reckon the problem is that I need to add the CA certificate to the
>>> certificate store (or for --cacert option) and not the Server Certificate.
>>> For self signed certificate, there is no CA - does that mean that the
>>> Certificate itself can be deemed as the CA certificate ?
>> I have a server at home that uses a certificate signed by my own internal
>> CA, which has its own self-signed certificate. I just tried accessing the
>> server with curl:
>> curl -v https://server.domain.com/
>> and got back
>> * Peer certificate cannot be authenticated with known CA certificates
>> Then I went to the server, pulled its CA cert and saved it locally and
>> tried again:
>> curl -v --cacert ca.pem https://server.domain.com/
>> and it validated OK, so curl can definitely handle a self-signed CA.
>> Actually, if you follow the CA chain from any server cert you'll find a
>> self-signed certificate from Verisign, Thawte, or whomever. So, if your
>> server certificate is self-signed you ought to be able to save a copy and
>> use it with the --cacert flag.
>> As I read Daniel's email that you referenced, what he's saying is that he
>> doesn't know a convenient way to pull the server's CA cert rather than the
>> server's own cert4l. I think this may do it:
>> openssl s_client -showcerts -connect server.com:443 > certs.pem
>> You can then use certs.pem in my previous curl command line.
>> Ralph Mitchell
>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
> Ralph, Thanks for your comments.
> Well I've already tried what you mentioned. It didn't work. Is it so
> because there is no issuer in the CA chain for the certificate sent by the
> server? Does curl expect at least one issuer CA in the CA chain ?
> The certificate I am trying to validate using curl is
> I have a couple questions for this cert:
> 1.) Since this is a self signed cert, shouldn't "Issued to" and "Issued
> by" CN fields ideally match ?
> 2.) If this isn't self signed, and was issued by a self signed CA, then
> why isn't that CA cert showing up in the Certification path.
> Any thoughts will be appreciated !
> Also if anyone of you can successfully validate the cert from the
> aforementioned URL, kindly share the flags/process.
It's not a self-signed certificate. The certificate shows:
openssl x509 -noout -in finratraqs.pem -issuer -subject
issuer= /CN=NasdaqOMX Web Security Framework
subject= /C=US/ST=New York/L=New York/O=Nasdaq Stock Market/OU=Nasdaq
You'd need the certificate from the issuer, and possibly its issuer, going
back to a CA cert somewhere, to be able to validate the entire chain.
Perhaps more importantly, when I go to that web page in Firefox and accept
the certificate exception, the page I get back just has:
"You do not have permission to view this directory or page
using the credentials that you supplied."
The last few words, "credentials that you supplied", suggest to me that I
should login with a userid and password on some other web page, be handed a
cookie or other token, and then be transferred to the download site. Or
possibly I ought to have a certificate or smart card in order to
authenticate to the download server.
List admin: http://cool.haxx.se/list/listinfo/curl-users
Received on 2012-01-25