cURL with a PKCS#12 certificate in a bash script

54
votes

i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).

i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?

i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.

converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:

openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys

any hints? or, any alternatives to curl? the solution should be commandline based.

3
bashcurlopensslpkcs12

3 Answers

87
votes

I think you have allready resolved but i had a the same problem. I answer for share my solution.

If you have a .p12 file your approach is right. First of all you have to get the cert and the key separated from the p12 file. As an example, if you have a mycert.p12 file execute 

openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys

Then you have to make the call to your url. For instance assume that you want to get the wsdl of a specific webservice

curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl

If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.

54
votes

Check if you have newer curl. Newer versions can handle PKCS12 outright. 

curl --cert-type P12 --cert cert.p12:password https://yoursite.com
0
votes

bioffes answer is correct.

He was suggesting to do:

curl --cert-type P12 --cert cert.p12:password https://yoursite.com

For some reason that didn't work for me. I was getting:

curl could not open PKCS12 file

I just ended up exporting the p12 file without a password and ended up just using the following format.

curl --cert-type P12 --cert cert.p12 https://yoursite.com

You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and scroll down til you find the cert-type. Mine was like this:

--cert-type <type>

(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.

If this option is used several times, the last one will be used.

(I don't believe cmmd + F works to text not visible in the terminal. So you have to scroll down.