Testing client certificates with Curl

Posted on November 21, 2016 in Uncategorized

One way some websites insure secure communication between web clients and the web server is with mutual authentication. This is where the requestor or client must prove their identity to the server by supplying a valid, known SSL certificate. The server must also provide a valid certificate to the client identifying itself. This can sometimes be tricky to test using curl and depending on your setup this can be done several ways.

In the most simple form we pass the SSL certificate and private key via arguments on the command line. If there is a password associated with the cert you can append it to the cert name separated by a colon or else the curl command will prompt you for the password once the command is run.

> curl --cert <certificate[:password]> --key  [URL]
# example
> curl --cert cert.crt --key client.key https://example.com/healthz

The SSL cert and key can also be concatenated into a single file and passed via the --cert argument and skipping --key. You can also specify certificate formats (PEM, DER, ENG) by specifying --cert-type but we'll stick with PEM which is the default.

If using a OS X you will find that the stock Curl is not ideal (maybe it's too old or  a custom build). There are a few solutions:

  1. Use Homebrew to install a more recent version of curl. You will need to add /usr/local/bin to your PATH environment variable and may even consider renaming the original /usr/bin/curl if there is a conflict.
  2. Use Docker to run latest curl in a container. This was a great example of how docker can be used to eliminate platform dependencies.

Here's an example of using Docker to execute a curl command:

docker run -it \
 -v $(pwd)/client.key:/var/cert/client.key \
 -v $(pwd)/client.cer:/var/cert/client.crt \
 speg03/curl \
 --key /var/cert/client.key \
 --cert /var/cert/client.crt \

In this command we are mounting our local cert and key files inside the container so we can access them with the command.