z/OS Tools & Language

Expand all | Collapse all

cURL Certificate Question

  • 1.  cURL Certificate Question

    Posted 08-04-2016 10:46

    I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?

    Thanks



  • 2.  RE: cURL Certificate Question

    Posted 08-05-2016 02:25

    Hi,

    I will write “small” instruction.

    1. You have to know about two cURL’s keywords:
      –cacert
      Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
      curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
      The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
      If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
      If this option is used several times, the last one will be used.

    –capath
    Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
    If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.

    1. You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.

    2. Examples:
      a) CURL_CA_BUNDLE isn’t set.

    curl -v https://godaddy.com
    curl: (60) SSL certificate problem: unable to get local issuer certificate

    Failed.

    b) CURL_CA_BUNDLE isn’t set.

    curl -kv https://godaddy.com

    c) CURL_CA_BUNDLE isn’t set.
    Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.

    curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt

    d) CURL_CA_BUNDLE set.

    export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
    curl -v https://godaddy.com

    1. Links - useful information:
      https://curl.haxx.se/docs/manpage.html#--cacert
      https://curl.haxx.se/docs/sslcerts.html

    Thanks,
    Andrey



  • 3.  RE: cURL Certificate Question

    Posted 04-12-2020 02:09

    This is a great description of the process. One thing I don’t understand know is if RACF, TopSecret and ACF2 certificates are in PEM format? Also - since they are normally in datasets, what’s the right way to get them into these directories so they can be read by curl?



  • 4.  RE: cURL Certificate Question

    Posted 04-13-2020 03:26

    Hello Mike,

    I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.

    You can probably export them with the RACDCERT EXPORT command as described here:

    https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm

    It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.

    Regards,
    Vladimir