Skip to main content
Unix & Linux

Timeline for How to trust self-signed certificate in cURL command line?

Current License: CC BY-SA 4.0

11 events
when toggle format what by license comment
Apr 7, 2019 at 13:45 comment added V13 You cannot "trust" a self-signed certificate, unless you want to treat it as a trusted certificate itself for validation purposes, which would be the equivalent of a CA cert. In that case you'd use the same certificate as a CA cert, but that will also require the cert to be tagged as a CA. Please read the rest of the comments. Also, the question has been altered since I posted this question. My response was to an earlier version which did not have the clarifications.
Apr 6, 2019 at 20:37 comment added Abdennour TOUMI does not make since to answer oppositely to the question. The question is about trusting certificate and you are ignoring it !!!
Oct 18, 2018 at 1:00 comment added l0b0 Fantastic, that actually gets me somewhere. I'll try creating a CA. Do you want to post that as an answer? I'm afraid I find TLS certificates and the surrounding tools frustratingly obtuse and weird, and I really thought my original question was easy to answer because it's one I've encountered in several jobs and every "solution" has been to just ignore the problem until the configuration is in production and everything falls apart. Basically I just want to get as close to production as possible given the limitation of having to generate self-signed certificates.
Oct 18, 2018 at 0:34 comment added V13 I see that you have listed the generation of the cert. Cert validation needs to start from a CA and you don't use a CA, so you cannot possibly validate the cert. If you are looking for something like "openssl verify"'s -trusted then I don't think that exists.
Oct 18, 2018 at 0:17 comment added V13 I cannot see that from your post. There isn't a dump of the certificate in it. Curl probably relies on openssl to do the validations. The validations (may) include the proper flags for use (e.g. ssl server), CN name, date, chain validation, revocation check via CRL, revocation check via OCSP and probably something else that I'm forgetting. Your post doesn't mention any of these, nor it shows the certificate, and you keep updating it. I'd suggest forming a good question from scratch and taking the answers a bit more seriously instead of being rude to everyone that tries to help you.
Oct 18, 2018 at 0:03 comment added l0b0 You can see from the certificate that it does not have CA extensions. It's a self-signed certificate. I want cURL to do the same validations it does for any certificate. As man curl puts it "The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store." Maybe that means I need a way to create a cert store for a self-signed certificate.
Oct 17, 2018 at 23:48 comment added V13 What does "trust it" means in your mind? Is that a CA certificate (i.e. has the CA extensions) that you want to trust as CA? or is it a plain certificate and you want to make sure that this is the one you're receiving? Do you just want to look at the fingerprint of the key or the whole set of extensions? Do you maybe care just about the CN?
Oct 17, 2018 at 23:37 comment added l0b0 I wrote "How do I make cURL trust it". If I asked you how to open SSH to a specific IP, would you tell me to open it to every IP?
Oct 17, 2018 at 0:14 comment added V13 @l0b0: To make curl trust self-signed certificates. And it also says: "The goal is to enable HTTPS during development". curl -k achieves both. There is no validation in self-signed certificates, unless you are implying that you want to accept only a certain self-signed certificate, but this is not what the question says. Can you explain what is your objection?
Oct 17, 2018 at 0:08 comment added l0b0 The question is how to trust self-signed certificates, not how to bypass certificate validation.
Oct 16, 2018 at 23:55 history answered V13 CC BY-SA 4.0