Question
Question regardng using PKCS12 certificates with curl?
I installed the most recent version of the curl tool and all works fine with the exception of using PKCS12 personal certificates. When I specify the parameters --cert /u/johnson/curl/fred.12:secret --cert-type P12 I receive message curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt. I know the password is correct because if I move the file to Windows for example, I am am able to successfully import the PKCS12 certificate.with the same password into a trust store. Is there another step I need to do differently to provide the password on z/OS?
+1- Rocketeer
- 73 replies
I installed the most recent version of the curl tool and all works fine with the exception of using PKCS12 personal certificates. When I specify the parameters --cert /u/johnson/curl/fred.12:secret --cert-type P12 I receive message curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt. I know the password is correct because if I move the file to Windows for example, I am am able to successfully import the PKCS12 certificate.with the same password into a trust store. Is there another step I need to do differently to provide the password on z/OS?
Hi Mitch,
Could you check the tag of PKCS12 certificate file?
ls -T /u/johnson/curl/fred.12
If the file is 'untagged' or have mixed tag (m ISO8859-1), tag them as ISO8859-1:
chtag -tc 819 /u/johnson/curl/fred.12
And then, try the cURL command again.
If it will not help, could you also say the version and build of cURL and OpenSSL installed on your system?
I installed the most recent version of the curl tool and all works fine with the exception of using PKCS12 personal certificates. When I specify the parameters --cert /u/johnson/curl/fred.12:secret --cert-type P12 I receive message curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt. I know the password is correct because if I move the file to Windows for example, I am am able to successfully import the PKCS12 certificate.with the same password into a trust store. Is there another step I need to do differently to provide the password on z/OS?
ls -T FRED.P12
t ISO8859-1 T=on FRED.P12
and repeated invoking the curl command:
BPXBATCH SH export CURL=&CURL; $CURL/bin/curl -X GET --cacert /u/johnson/CERTAUTH.PEM +
--cert /u/johnson/FRED.P12:secret --cert-type P12 https://wg31.washington.ibm.com:9445/cscvinc/employee/000100
and received the same results:
curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
The results from a curl -V command are shown here:
curl 7.66.0 (i370-ibm-openedition) libcurl/7.66.0 OpenSSL/1.0.2l zlib/1.2.11 libssh2/1.8.0 nghttp2/1.18.1
Release-Date: 2019-09-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
+1- Rocketeer
- 73 replies
I installed the most recent version of the curl tool and all works fine with the exception of using PKCS12 personal certificates. When I specify the parameters --cert /u/johnson/curl/fred.12:secret --cert-type P12 I receive message curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt. I know the password is correct because if I move the file to Windows for example, I am am able to successfully import the PKCS12 certificate.with the same password into a trust store. Is there another step I need to do differently to provide the password on z/OS?
Thanks for reporting the problem.
It also reproduced for a previous version of cURL, but it's fixed for cURL delivered with Miniconda (but, it looks there is also need to use tagged file).
We recently moved to a new delivery and installation model. Now all the ported tools should be installed via package manager Conda. Please, take a look at this post on our forum:
Introducing z/OS conda for download and deployment of z/OS open source products
How to install z/OS Miniconda - the first step in using Open Source on z
You can install Miniconda and than install cURL from public Conda channel.
I installed the most recent version of the curl tool and all works fine with the exception of using PKCS12 personal certificates. When I specify the parameters --cert /u/johnson/curl/fred.12:secret --cert-type P12 I receive message curl: (58) could not parse PKCS12 file, check password, OpenSSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt. I know the password is correct because if I move the file to Windows for example, I am am able to successfully import the PKCS12 certificate.with the same password into a trust store. Is there another step I need to do differently to provide the password on z/OS?
Sign up
Already have an account? Login
Welcome to the Rocket Forum!
Please log in or register:
Employee Login | Registration Member Login | RegistrationEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
77 4th Avenue
Waltham, MA 02451 USA
