Hi I am having a big headache trying to curl a REST web service I created locally over SSL. I keep getting the message "curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."

Here the steps I followed

1. created my own CA certificate with OpenSSL private certificate and key pair OpenSSL req -x509 -new -config c:\X509CA\openssl.cfg -days 365 -out c:\X509CA\ca\private_ca.pem -keyout c:\X509CA\ca\private_ca_pk.pem my CN: RESTfulCustomer

2. created the keystore and mycert.pem keytool -genkey -validity 365 -alias myalias -keypass password -keystore myKeyStore.jks -storepass password used the same CN as above

3. Created a certificate signing request keytool -certreq -alias myalias -file myCert_csr.pem -keypass password -keystore myKeyStore.jks -storepass password

4. Signed the CSR with openssl ca -config c:\X509CA\openssl.cfg -days 365 -in c:\path\to\key_store\myCert_csr.pem -out c:\path\to\key_store\myCert.pem

5. Converted to PEM format - Convert the signed certificate, CertName.pem, to PEM only format, as follows: Openssl x509 -in c:\path\to\key_store\myCert.pem -out c:\path\to\key_store\myCert.pem -outform PEM

6. concatenated the CA certificate file and the certName.pem copy myCert.pem + c:\X509CA\ca\new_ca.pem myCert.chain
7. Updated keystore with the full certificate chain - Update the keystore, CertName.jks, by importing the full certificate chain for the certificate, as follows: keytool -import -file myCert.chain -keypass password -keystore myKeyStore.jks -storepass password finally imported it into firefox, updated my server.xml apache tomacat 7 starts ok and I could navigate to my ssl webpage with no problems. Curl does not work without using --insecure. My Curl command curl -v --cacert ca.pem https://localhost:8443/RESTfulCustomer/customers.json

the curl command above gives me the message "curl: (60) SSL certificate problem: self signed certificate"

Running the Curl command for http//localhost:8080/RESTfuCustomer.customers.json with ssl disabled works fine.

I imported the ca.pem into myKeyStore.jks and restarted Apache. Environemnt windows 7,apache tomcat 7, spring security 3.1, curl 7.30.0 (i386-pc-win32) libcurl/7.30.0 OpenSSL/1.0.1c zlib/1.2.7

any help would be really appreciated thanks

please refer to that following answer:

• https://stackoverflow.com/a/28927268/1290438

to sum up:

% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

and tada, you connect securely to a self-signed website.