I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?
Thanks
cURL Certificate Question
I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?
Thanks
Hi,
I will write “small” instruction.
- You have to know about two cURL’s keywords:
–cacert
Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
If this option is used several times, the last one will be used.
–capath
Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.
-
You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.
-
Examples:
a) CURL_CA_BUNDLE isn’t set.
curl -v https://godaddy.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
…
Failed.
b) CURL_CA_BUNDLE isn’t set.
curl -kv https://godaddy.com
- Rebuilt URL to: https://godaddy.com/
…
Passed, but insecure.
c) CURL_CA_BUNDLE isn’t set.
Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.
curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt
- Rebuilt URL to: https://godaddy.com/
…
Passed and without -k/–insecure keywords.
d) CURL_CA_BUNDLE set.
export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
curl -v https://godaddy.com
- Rebuilt URL to: https://godaddy.com/
…
Passed, I didn’t use --cacert(–capath) keywords.
- Links - useful information:
https://curl.haxx.se/docs/manpage.html#--cacert
https://curl.haxx.se/docs/sslcerts.html
Thanks,
Andrey
Hi,
I will write “small” instruction.
- You have to know about two cURL’s keywords:
–cacert
Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
If this option is used several times, the last one will be used.
–capath
Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.
-
You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.
-
Examples:
a) CURL_CA_BUNDLE isn’t set.
curl -v https://godaddy.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
…
Failed.
b) CURL_CA_BUNDLE isn’t set.
curl -kv https://godaddy.com
- Rebuilt URL to: https://godaddy.com/
…
Passed, but insecure.
c) CURL_CA_BUNDLE isn’t set.
Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.
curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt
- Rebuilt URL to: https://godaddy.com/
…
Passed and without -k/–insecure keywords.
d) CURL_CA_BUNDLE set.
export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
curl -v https://godaddy.com
- Rebuilt URL to: https://godaddy.com/
…
Passed, I didn’t use --cacert(–capath) keywords.
- Links - useful information:
https://curl.haxx.se/docs/manpage.html#--cacert
https://curl.haxx.se/docs/sslcerts.html
Thanks,
Andrey
This is a great description of the process. One thing I don’t understand know is if RACF, TopSecret and ACF2 certificates are in PEM format? Also - since they are normally in datasets, what’s the right way to get them into these directories so they can be read by curl?
+1- Rocketeer
- 110 replies
I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?
Thanks
Hello Mike,
I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.
You can probably export them with the RACDCERT EXPORT command as described here:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm
It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.
Regards,
Vladimir
Hello Mike,
I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.
You can probably export them with the RACDCERT EXPORT command as described here:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm
It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.
Regards,
Vladimir
Hi Vladimir
We are integrating Curl to copy Jenkins Agent in our setup for a pipeline with IBM DBB.
As we understand we can setup CA certificate store on USS file system.
Normally we use RACF keyrings
We understand that linking to RACF is not possible at this moment
Are there plans to support linking to RACF keyrings?
If this is not the correct place to ask, who should I contact for this questions
Regards
Dirk
------------------------------
Dirk Thielens
KBC
------------------------------
Hi Vladimir
We are integrating Curl to copy Jenkins Agent in our setup for a pipeline with IBM DBB.
As we understand we can setup CA certificate store on USS file system.
Normally we use RACF keyrings
We understand that linking to RACF is not possible at this moment
Are there plans to support linking to RACF keyrings?
If this is not the correct place to ask, who should I contact for this questions
Regards
Dirk
------------------------------
Dirk Thielens
KBC
------------------------------
This forum is a good place to request enhancements of this sort. Your request does make sense and I will add it to our backlog. However, our backlog does get prioritized with an eye towards our customers that are paying support and their priorities. If this is really important to your business needs I would recommend getting on support. See https://www.rocketsoftware.com/openappdev-for-z
Regards,
-Peter
------------------------------
Peter Fandel
Rocket Software
------------------------------
Sign up
Already have an account? Login
Welcome to the Rocket Forum!
Please log in or register:
Employee Login | Registration Member Login | RegistrationEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
77 4th Avenue
Waltham, MA 02451 USA
