CAcert Code Development list.

[Philipp Gühring <pg AT futureware.at>]

Hi,

Please use POST instead of GET. The reason for this is that there are size limitations on the parameters for GET requests, and then we might get only half of the request, or it might suddenly break when someone switches to larger keysizes, ...
You need to generate the client cert and your private key with firefox and then export both client cert and private key with Firefox with a password, and afterwards you can decrypt the file to use it automatically. If you would only download the certificate, you would be missing the private key, which is needed to use the client certificate.

Best regards,
Philipp Gühring

ulrich AT cacert.org schrieb:

Hi guys,

one question from the floor ... please add the users email below
to your reply ...  thnx

uli

-----Original Message-----
From: mapc [mailto:mapc AT cupdev.net] 
Sent: Wednesday, June 05, 2013 6:50 PM
To: cacert-support AT lists.cacert.org
Subject: [HTTPS API] CSR format; certificate auth; also: SUBSCRIBE with other address


Hi

I have already sent this mail once, but I am not sure if it has arrived.
If nobody has an Idea how to solve this problem…whom should I ask about it?

-----

I am trying to use the HTTPS API (documented here: 
https://wiki.cacert.org/Software/CertApi) to batch-renew my certificates.
This is my current setup:
* I am using curl from shell
* I am using a GET request
* I 
 am
using ?password and ?username for auth; this works (tested on 
api/cemails.php)
* The email[0] parameter is accepted by the API
* The actual CSR is not recognized

$ curl -v -Gd 'username=$MYLOGIN' -d 'password=$SECRET' -d 
'email[0]=$CONTACT' -d "optionalCSR=`cat blog.cupdev.net.csr| tr '\n' 
'\0' | sed 's/\0/%0a/g'`" 'https://www.cacert.org/api/ccsr.php'

This results in the following request (CSR shortened):

GET 
/api/ccsr.php?username=$MYLOGIN&password=$SECRET&email[0]=$CONTACT&optionalCSR=-----BEGIN 
CERTIFICATE REQUEST-----MIII1zCCBL...p8%0a=-----END CERTIFICATE 
REQUEST-----%

Notice that each newline is being replaced with '%0a'; I also tried 
removing the header and footer from the CSR and deleting the newlines.

How should I send the CSR?

For security reasons I wo
 uld
rather not authenticate using 
username/password instead I would like to use a client certificate.
This should be doable using -E but I was unable to download the client 
certificate (Firefox just wanted to install it and the exported version 
still required a password).

-----

Also: Is there any way I could add a subsection to my mail address on 
this list: cacert-support.mapc AT cupdev.net?

Thank you very much,
mapc