06-19-2012 11:34 AM
A Vendor is switching to FTPS (not SFTP) and they have provided me with some ssl certificates. I need to put these certificates somewhere and use them to send the files.
I've heard rumors of using cURL and WU-FTP but the documentation isn't that great. Has anyone done this before? All of the research I've done always just ends up with people getting confused about the difference between sftp and FTPS.
Solved! Go to Solution.
06-20-2012 12:15 AM - edited 06-20-2012 12:20 AM
You said you're supposed to send files, so I assume you're going to act as a FTPS client and connect to the vendor's FTPS server. Is this correct?
In that case, you won't need to deal with WU-FTP, since it is the server-side component: cURL has all the client-side functionality you need.
To send files with curl using FTPS and certificate-based authentication, the command would be like this:
curl -E <your certificate file> --cacert <CA/remote certificate file> -T <file(s) to send> ftps://server.vendor.com/directory/
You might also need the -u option to specify the username to use when logging in to the vendor's server , and possibly the --cert-type option to specify the encoding of the SSL certificate files. If the private key of your certificate is in a separate file, you'll need the --key option to specify the name of the private key file, and optionally the --key-type option to specify the encoding of the key.
The location of the certificate files does not matter in this case: they just need to be accessible to the curl command.
If you're using HP-UX 11.31 and have the patch PHNE_39072 (or a superseding patch) installed, then the HP-UX default ftp command has the FTPS functionality built in. See "man ftp" in that case.
You said you've received "some ssl certificates". The first thing would be to understand the purpose of each certificates you've received.
- If there is a certificate that includes a private key, the purpose of that certificate is to prove your identity to the vendor's server. The private key may be protected with a password: it is important that you know the password: without the password the certificate is useless. (You can remove the password protection if necessary.)
- A certificate without the corresponding private key should be either a CA certificate, or the certificate of the vendor's server. It allows you to verify that you're actually communicating with the vendor's server and not with an imposter.
The second important thing would be the encoding of your certificate files. Like many Unix SSL/TLS tools, curl prefers PEM encoded certificates and private keys. These are text files, and might look like this:
-----BEGIN CERTIFICATE----- MIIGCjCCA/KgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBmzEkMC
IGA1UEAxMbTWF0 <... many more lines of alphabet soup....> -----END CERTIFICATE-----
Or, in the case of a private key file:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,EFACFDA5698191B1 Vc/B6UXW9q84ZCY73fK6aFkJsrkRMcuR2iY60tNv6fAQMWHzhT
FvUydfHjxLdCle <... many more lines of alphabet soup...> -----END RSA PRIVATE KEY-----
In PEM encoding, the certificate and its private key may or may not be in the same file: if they are in the same file, one is just appended after another. The order does not usually matter.
It might be helpful to know how to view the certificate in human-readable form. These commands can be used to view the certificate and its attributes:
openssl x509 -in <PEM-format certificate file> -noout -text openssl x509 -in <DER-format certificate file> -inform DER -noout -text
If the vendor uses Windows, the certificate might be in a binary format, which is usually DER encoded. In this case, there might be an added complication: if the certificate file has a suffix like .pfx or .p12, it is a "container format" which can include both one or more certificates and their associated private keys. cURL can read basic DER encoded files, but not necessarily the container formats. Fortunately, it is relatively easy to use OpenSSL tools to extract the certificates and the private keys from the container format files:
openssl pkcs12 -in <.p12 or .pfx file> -out <PEM output file>
This command may prompt for a password multiple times: first for the existing password for the .p12/.pfx file, and then for assigning a new password to protect the private keys in the output file. Read the password prompts carefully to understand what is required.