Accessing PKI Services with curl - dogtagpki/pki GitHub Wiki
This document describes how to use curl
to access PKI services.
To display information about curl:
$ curl -V curl 7.59.0 (x86_64-redhat-linux-gnu) libcurl/7.59.0 OpenSSL/1.1.0i zlib/1.2.11 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.4) libssh/0.8.6/openssl/zlib nghttp2/1 .32.1 Release-Date: 2018-03-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink
To execute a GET
operation:
$ curl http://$HOSTNAME:8080
To download a file:
$ curl -O -J <URL>
To execute a POST
operation:
$ curl -X POST -d <data> http://$HOSTNAME:8080
To skip SSL certificate verification:
$ curl -k https://$HOSTNAME:8443
The names of SSL ciphers depend on the TLS backend used by curl
.
See SSL Ciphers.
To specify SSL ciphers:
$ curl --ciphers ECDHE-RSA-AES128-SHA256 https://$HOSTNAME:8443
To show ciphers used by curl
:
$ curl --ciphers ECDHE-RSA-AES128-SHA256 https://www.howsmyssl.com/a/check | jq { "given_cipher_suites": [ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" ], "ephemeral_keys_supported": true, "session_ticket_supported": false, "tls_compression_supported": false, "unknown_cipher_suite_supported": false, "beast_vuln": false, "able_to_detect_n_minus_one_splitting": false, "insecure_cipher_suites": {}, "tls_version": "TLS 1.2", "rating": "Probably Okay" }
See also lib/vtls/nss.c.
Supported data formats are:
-
application/xml
-
application/json
If the PKI service takes a request data, the format should be specified in the Content-Type
header:
$ curl -H "Content-Type: application/xml" ...
If the PKI service returns a response data, the format should be specified in the Accept
header:
$ curl -H "Accept: application/json" ...
To authenticate using NSS database:
$ export SSL_DIR=~/.dogtag/nssdb $ curl -E <nickname>:<password> ...
To authenticate using PKCS #12 file:
$ curl --cert-type P12 --cert <PKCS #12 file>:<PKCS #12 password> ...
To authenticate with PEM certificate and key:
$ curl -E <cert file> --key <key file> ...
To authenticate with username and password:
$ curl --user <username>:<password> ...
To retrieve certificates from CA:
$ curl http://$HOSTNAME:8080/ca/rest/certs
To retrieve certificate requests from CA:
$ curl -k \ --cert-type P12 \ --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12:Secret.123 \ https://$HOSTNAME:8443/ca/rest/agent/certrequests
To update TPS configuration:
$ SSL_DIR=~/.dogtag/pki-tomcat/ca/alias/ curl \ -E "caadmin:Secret.123" \ -H "Content-Type: application/xml" \ -X PATCH \ --data @input.xml \ https://$HOSTNAME:8443/tps/rest/config