Problem fixed: 1) Convert server cert openssl x509 -inform DER -outform PEM -in servercert.crt -out servercert.pem
2) Break out user cert and key from container openssl pkcs12 -nocerts -in user.p12 -out userkey.pem openssl pkcs12 -nokeys -in user.p12 -out usercert.pem 3) wget it wget --private-key=userkey.pem --certificate=usercert.pem --ca-certificate=servercert.pem https://IP_ADDRESS:PORT/file.txt On Wed, Jun 8, 2011 at 11:44 AM, brad bruggemann < [email protected]> wrote: > I wasn't aware that after I converted the cert that i needed to place the > converted cert into the keystore. Here's what I've now done to add the cert. > > Server Side: > > 1. Generate a new keypair for wget > # keytool -genkeypair -alias wget -keystore /keys/wget.p12 -storetype > pkcs12 -keyalg RSA -dname "CN=wget,OU=test,O=test,L=city,S=South > Carolina,C=US" -keypass XXXX -storepass XXXX -validity 365 > > 2. Create certifcate for wget > # keytool -export -alias wget -file /keys/wget.cer -keystore /keys/wget.12 > -storetype pkcs12 -storepass XXXX -validity 365 > > 3. Add wget to keystore > # keytool -import -keystore /keys/keystore.jks -alias wget -file > /keys/wget.cer -v -trustcacerts -noprompt -storepass XXXX > > 3. Send remote box wget cert > # scp /keys/wget.cer user@ip:/tmp/wget.cer > > Client Side: > > 4. Try wget > wget --secure-protocol=TLSv1 --certificate-type=DER > --certificate=/tmp/wget.cer --password=XXXX > https://IP_ADDRESS:1234/file.txt <https://ip_address:1234/file.txt> -o > /tmp/file.txt > > output gives me an openssl error of: > > > OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate > > > > > > > On Wed, Jun 8, 2011 at 8:01 AM, Giuseppe Scrivano <[email protected]>wrote: > >> please keep the mailing list CC'ed in your replies. >> >> It seems the server doesn't accept the client certificate. Are you sure >> the cert.pem certificate is included in keystore.jks? >> >> Giuseppe >> >> >> >> brad bruggemann <[email protected]> writes: >> >> > Giuseppe, >> > >> > There's a correction to my original post. The output that I get when I >> > run the original command (with secure-protocol) is: >> > >> > OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> > certificate >> > >> > When I run it without secure-protocol i get: >> > >> > OpenSSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert >> > unexpected message >> > >> > On Wed, Jun 8, 2011 at 7:08 AM, Giuseppe Scrivano <[email protected]> >> > wrote: >> > >> > brad bruggemann <[email protected]> writes: >> > >> > > Use wget to grab file: >> > > wget --secure-protocol=TLSv1 --certificate-type=PEM >> > --certificate=/ >> > > path.to/cert.pem --password=XXXX >> > https://IP_ADDRESS:1234/file.txt -o >> > > /tmp/file.txt >> > >> > >> > what does happen if you don't specify --secure-protocol? >> > >> > Cheers, >> > Giuseppe >> > >> > >
