Sunday, September 4, 2022

[SOLVED] mTLS without Certificate Authority

Issue

I am trying to implement the scenario Require the client to identify itself (two-way TLS) that is described on href="https://github.com/Hakky54/mutual-tls-ssl#require-the-client-to-identify-itself-two-way-tls" rel="nofollow noreferrer">https://github.com/Hakky54/mutual-tls-ssl#require-the-client-to-identify-itself-two-way-tls.

The API server is created with https://quarkus.io/ along with a keystore and a truststore. The keystore contains the certificate plus the private key and the truststore contains the client certificate for the client identification.

Now, I would like to do the request to the API server via curl instead java rest client.

I have found, maybe the solution on https://stackoverflow.com/a/58920225/1743843 with the command:

curl --key client.key --cert client.crt --cacert bundle.pem -X GET -v https://x.x.x.x:xxxx/folder/endpoint

the option --cacert need to be passed. However, I would like to do Require the client to identify itself (two-way TLS) not Two way TLS based on trusting the Certificate Authority. The question is, can I pass anyway on the option --cert the server certificate instead CA certificate or there is another option.

I would like to do without self signed certificate.


Solution

Yes, you can pass the --cert option, however you need to provide Base64 encoded privatekey pair file. In that tutorial keystore files are used as jks which you first need to convert to something what curl will understand and in this case a pem file. What you need to do is:

  1. Convert keystore to p12 file
  2. Convert p12 file to pem file
  3. Run curl command with pem files

Convert keystore to p12 file

keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.p12 -srcstoretype JKS -deststoretype PKCS12
keytool -importkeystore -srckeystore identity.jks -destkeystore identity.p12 -srcstoretype JKS -deststoretype PKCS12

Convert p12 file to pem file

openssl pkcs12 -in truststore.p12 -out trusted-certificates.pem
openssl pkcs12 -in identity.p12 -out identity.pem

Run curl command with pem files

curl --cert identity.pem --cacert trusted-certificates.pem https://localhost:8443/api/hello

These steps can also be found here: GitHub Gist - Curl with Java KeyStore



Answered By - Hakan54
Answer Checked By - Mary Flores (WPSolving Volunteer)
at