Accessing PKI Services with curl - dogtagpki/pki GitHub Wiki

Overview

This document describes how to use curl to access PKI services.

Information

To display information about curl:

$ curl -V
curl 7.59.0 (x86_64-redhat-linux-gnu) libcurl/7.59.0 OpenSSL/1.1.0i zlib/1.2.11
libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.0.4) libssh/0.8.6/openssl/zlib nghttp2/1
.32.1
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s
 rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL
libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink

GET Operation

To execute a GET operation:

$ curl http://$HOSTNAME:8080

To download a file:

$ curl -O -J <URL>

POST Operation

To execute a POST operation:

$ curl -X POST -d <data>  http://$HOSTNAME:8080

SSL Connection

To skip SSL certificate verification:

$ curl -k https://$HOSTNAME:8443

SSL Ciphers

The names of SSL ciphers depend on the TLS backend used by curl. See SSL Ciphers.

To specify SSL ciphers:

$ curl --ciphers ECDHE-RSA-AES128-SHA256 https://$HOSTNAME:8443

To show ciphers used by curl:

$ curl --ciphers ECDHE-RSA-AES128-SHA256 https://www.howsmyssl.com/a/check | jq
{
  "given_cipher_suites": [
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
  ],
  "ephemeral_keys_supported": true,
  "session_ticket_supported": false,
  "tls_compression_supported": false,
  "unknown_cipher_suite_supported": false,
  "beast_vuln": false,
  "able_to_detect_n_minus_one_splitting": false,
  "insecure_cipher_suites": {},
  "tls_version": "TLS 1.2",
  "rating": "Probably Okay"
}

See also lib/vtls/nss.c.

Data Format

Supported data formats are:

  • application/xml

  • application/json

If the PKI service takes a request data, the format should be specified in the Content-Type header:

$ curl -H "Content-Type: application/xml" ...

If the PKI service returns a response data, the format should be specified in the Accept header:

$ curl -H "Accept: application/json" ...

Authentication

To authenticate using NSS database:

$ export SSL_DIR=~/.dogtag/nssdb
$ curl -E <nickname>:<password> ...

To authenticate using PKCS #12 file:

$ curl --cert-type P12 --cert <PKCS #12 file>:<PKCS #12 password> ...

To authenticate with PEM certificate and key:

$ curl -E <cert file> --key <key file> ...

To authenticate with username and password:

$ curl --user <username>:<password> ...

Examples

To retrieve certificates from CA:

$ curl http://$HOSTNAME:8080/ca/rest/certs

To retrieve certificate requests from CA:

$ curl -k \
    --cert-type P12 \
    --cert ~/.dogtag/pki-tomcat/ca_admin_cert.p12:Secret.123 \
    https://$HOSTNAME:8443/ca/rest/agent/certrequests

To update TPS configuration:

$ SSL_DIR=~/.dogtag/pki-tomcat/ca/alias/ curl \
    -E "caadmin:Secret.123" \
    -H "Content-Type: application/xml" \
    -X PATCH \
    --data @input.xml \
 https://$HOSTNAME:8443/tps/rest/config

See Also

⚠️ **GitHub.com Fallback** ⚠️