Talking to Dogtag PKI via curl

As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.

When I started on IPA, I didn’t realize that NSS could mean “Network Security Services” as well as “Name Server Switch.” In this article, I mean the former.

First, a note on how I installed the server. I used a single set of ports for all SSL traffic:


pkicreate   -pki_instance_root=/var/lib   -subsystem_type=ca   -pki_instance_name=pki-ca2   -secure_port=8443   -unsecure_port=8080   -tomcat_server_port=8005   -user=pkiuser   -group=pkiuser   -verbose

In the future I’ll use pkisilent to configure the server, but for this one I went through the WebUI setup. During the server setup process, the CA provides a certificate to the web browser that can be used for Identification. On mozilla, you can view the certificate with:

Edit->Preferences->Advanced->Encryption->View Certificate->Your Certificates

Select the “backup” or “backup all” options to save to a pkcs12 File format.  I chose backup all and called the file


Create a new NSS database. Set the ENV Var that tells curl to use it.


certutil -N -d $PWD/db
export SSL_DIR=$PWD/db

Now import the keys into the database.

pk12util  -d $PWD/db -i ipa-server-3.p12 

You’ll be prompted for both the New Database and the PCKS12 File passwords.

Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 


To confirm your certificates are in there:

certutil  -d ./db/  -L

Which should produce something along the lines of:

Certificate Nickname                                         Trust Attributes

ipa-server-3-CA                                              C,,  
OCSP Administrator of Instance pki-ocsp's AyoungBostonDevelRedhat Domain ID u,u,u
KRA Administrator of Instance pki-kra2's AyoungBostonDevelRedhat Domain ID u,u,u
CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID u,u,u

Note that I have the CA cert in there as well, but it didn’t seem to work for me during the curl stage.

I got the CA.crt from the WebUI:


And just cut and pasted it to a file.

Now to run curl:

curl --cacert ./CA.crt  \
     --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID"  \
     https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
     --pass freeipa4all

The cacert parameter is the file name, whereas the cert is the nickname from the NSS Database.

One thought on “Talking to Dogtag PKI via curl

  1. That’s nice, thanks for writing this up.

    For others who’re reading, Adam figured the urls by –right click, ‘This Frame’ -> ‘Show only this frame’

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.