From OpenWetWare
Jump to navigationJump to search

Using wget to download files from certificate-protected sites at MIT:

  • Download MIT CA
  • Convert the extracted MIT CA from DER to PEM format:
openssl x509 -out mitca.pem -outform pem -in mitca.crt -inform der 
  • Install personal MIT certificate into web browser
  • Extract private and public keys from the .p12 certificate (converting from pkcs12 to PEM). The first step extracts the private key and the second one extracts the public key:
openssl pkcs12 -nocerts -in usercert.p12 -out ~user/userkey.pem
chmod 400 ~user/userkey.pem
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/usercert.pem
  • Use the certificates to download files:
wget --private-key=/home/user/mitkey.pem \
--certificate=/home/user/mitcert.pem \
--ca-certificate=/home/user/mitca.pem \


You won't need the --ca-certificate flag if the server SSL cert is signed up a CA recognized in the wget default CA bundle. Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this: OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert


          Use the client certificate stored in file.  This is needed for
          servers that are configured to require certificates from the
          clients that connect to them.  Normally a certificate is not
          required and this switch is optional.
          Read the private key from file.  This allows you to provide the
          private key in a file separate from the certificate.
          Use file as the file with the bundle of certificate authorities
          (‘‘CA’’) to verify the peers.  The certificates must be in PEM format.
          Don’t check the server certificate against the available certificate authorities.