I'm trying to use a PCKS12 client certificate with curl 7.58.0
and OpenSSL 1.1.1
on Ubuntu 18.04 server.
My certificate info is:
~# openssl pkcs12 -info -in cert.p12 -noout -nomacver
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
When I try to use it with curl like this:
curl --cert-type P12 --cert cert.p12:******* https://server.com
I get
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
How can I make curl/openssl accept this certificate?
I tried --insecure
and --tlsv1.0
but none of them worked for me.
EDIT
Output of openssl pkcs12 -in cert.p12 -nokeys | openssl x509 -text -noout
is:
Enter Import Password:
MAC verified OK
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1558524593 (0x5ce532b1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IR, ST=Tehran, O=IPM, OU=IRNIC dotIR ccTLD, CN=IRNIC department/emailAddress=info@nic.ir
Validity
Not Before: May 22 11:29:53 2019 GMT
Not After : Nov 22 11:29:53 2019 GMT
Subject: C=IR, ST=Tehran, L=Tehran, O=Hamid Reza Naeini, OU=Hamid Reza Naeini, CN=da74-irnic,T234/emailAddress=nic@fanavaidc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:57:fa:8c:7f:44:18:87:58:04:73:91:be:1a:
f4:5d:63:22:7c:79:a8:b8:7c:af:13:91:39:6e:11:
5d:f6:e7:70:13:d0:0f:9c:38:90:f5:13:da:c1:d1:
5d:73:8b:85:d0:00:bf:0f:ad:c3:e4:a3:91:87:51:
10:e2:b8:3b:03:fe:44:82:7b:4f:e4:b2:29:43:9c:
bb:33:7d:1d:2b:81:76:55:1d:69:57:fe:ac:ec:0f:
a6:4c:ec:4b:a1:0c:10:63:f5:ec:c7:1f:8a:68:e9:
95:7a:4c:22:21:47:5f:50:22:e8:c9:60:b2:c2:89:
5c:da:73:df:b1:e3:bf:66:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
40:F0:CE:06:33:DD:40:3B:69:F2:97:89:43:EF:8D:12:BB:88:E7:2A
X509v3 Authority Key Identifier:
keyid:FC:D4:95:B1:9E:AD:B8:1B:94:09:3B:77:A1:CF:09:D7:F5:D6:BE:BE
DirName:/C=IR/ST=Tehran/O=IPM/OU=IRNIC dotIR ccTLD/CN=IRNIC department/emailAddress=info@nic.ir
serial:AF:4A:3A:99:D9:CE:99:C1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
88:a7:d8:8e:63:6f:15:69:cd:45:31:8b:2e:14:f1:48:bf:66:
24:33:b5:ef:6d:5f:75:8b:31:f2:94:09:b6:c2:72:87:09:b8:
31:4c:8b:c5:8d:b0:03:f3:70:91:63:fc:ed:52:19:62:31:98:
82:e4:e9:e8:14:2a:c9:6c:ca:fc:3f:d6:e0:fc:d2:94:82:88:
4e:0b:5a:77:74:19:de:99:17:e8:ba:c9:58:b9:6f:d9:e6:c9:
f6:de:26:e7:6e:2e:02:4d:f9:2c:6b:e2:1f:9f:0a:7a:35:d0:
5e:9c:cd:09:74:fa:df:a4:c8:5a:42:82:91:8c:6f:68:a9:06:
14:51:1f:22:46:8f:0b:db:13:1d:17:bc:b2:c1:fd:41:5b:5b:
2b:57:9c:cf:a8:7f:64:2a:4b:6e:a6:e6:37:c4:b0:3b:ef:11:
df:90:d3:b7:65:aa:40:40:f4:cd:d1:87:4d:22:20:4b:4b:13:
bc:e8:14:79:c5:a9:14:6d:6e:6b:22:8e:21:27:44:26:23:8d:
a0:2f:38:21:03:7f:cd:e1:cb:dc:51:d7:a5:a5:87:af:a3:65:
d1:a3:7c:84:78:43:c6:74:40:fe:fd:97:5c:23:ad:ec:5f:a1:
ef:05:89:ac:5c:85:20:74:17:f9:95:cf:66:30:73:ec:04:0f:
41:67:8c:3a
Best Answer
Surprisingly you can downgrade your OS to use older version of curl and it's being okay! We are use Ubuntu 16.04 instead of 19.10 and we can connect to nic server.