cURL with a PKCS#12 certificate in a bash script
BashCurlOpensslPkcs12Bash Problem Overview
i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
any hints? or, any alternatives to curl? the solution should be commandline based.
Bash Solutions
Solution 1 - Bash
I think you have allready resolved but i had a the same problem. I answer for share my solution.
If you have a .p12 file your approach is right. First of all you have to get the cert and the key separated from the p12 file. As an example, if you have a mycert.p12 file execute
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
Then you have to make the call to your url. For instance assume that you want to get the wsdl of a specific webservice
curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl
If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.
Solution 2 - Bash
Check if you have newer curl. Newer versions can handle PKCS12 outright.
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
Solution 3 - Bash
bioffes answer is correct.
He was suggesting to do:
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
For some reason that didn't work for me. I was getting:
> curl could not open PKCS12 file
I just ended up exporting the p12
file without a password and ended up just using the following format.
curl --cert-type P12 --cert cert.p12 https://yoursite.com
You can easily check to see if your curl
can handle p12
. Very likely it does. Just do man curl
and scroll down til you find the cert-type
. Mine was like this:
> --cert-type <type>
>
> (TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.
>
> If this option is used several times, the last one will be used.
(I don't believe cmmd + F
works to text not visible in the terminal. So you have to scroll down.