Curl Global Community

Full Version: Protecting SSL private key in a Curl script
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Hello Folks,

I am not a too deeply practiced coder and I ran into a problem using CURL on one of my devices:
The situation: I have a smart device - planned to sell to the public - which has to connect to servers/cloud/etc.
These servers are using SSL and certificates not justs to secure the communication channel between the client and the server, but also to authenticate the client on the server. No valid device cert, no download, no data exchange, no connection, nothing.
So I have to install a certificate to it and pass it to the CURL script.
1. I have to give the cert. It is OK.
2. If the CA is not a valid one, I have to give my CA's cert. It is OK also.
3. I have to give the private key of the device certificate - and that's where I have the problem! If I do not use a password for the key anybody who has the device and hack it somehow can stole this identity and ruin the network of those devices which are using this certificate.
The situation is the same if protect the key with password and I put it to the curl script in plain text.
If I do not provide password to the private key, the identity will not be validated so the connection will not be established.

What is the solution or the best practice for a case like this?
I'm not sure whether you are asking a question of Curl Programming Language ( https://en.wikipedia.org/wiki/Curl_(prog..._language) ), or a question of cURL, a client side transfer library. If you meant the latter, probably this is not the right place for you ... see https://curl.haxx.se/ for more about cURL .