How to Use curl with Client Certificate and Key for mTLS

Mutual TLS (mTLS) ensures secure, two-way authentication where both the client and the server verify each other’s certificates. This article provides a quick, practical guide on how to pass a client certificate and its corresponding private key to the curl command-line tool. You will learn the correct command-line flags for handling separate certificate and key files, combined files, password-protected keys, and PKCS#12 formats.

Using Separate PEM Files

The most common way to authenticate with mTLS using curl is by providing a separate client certificate file and a private key file, both in PEM format.

Use the --cert (or -E) option for the certificate, and the --key option for the private key:

curl --cert client.crt --key client.key https://example.com:8443/api

Handling Password-Protected Private Keys

If your private key is encrypted and protected by a password, you can append the password directly to the file path, separated by a colon, or let curl prompt you for it interactively.

To provide the password inline:

curl --cert client.crt --key client.key:your_password https://example.com:8443/api

If you do not specify the password, curl will automatically prompt you to enter it in the terminal.

Using a Combined PEM File

If your client certificate and private key are concatenated into a single PEM file, you only need to use the --cert flag. curl will look for both the certificate and the key inside that single file.

curl --cert combined.pem https://example.com:8443/api

If the key inside the combined file is password-protected, pass the password like this:

curl --cert combined.pem:your_password https://example.com:8443/api

Using PKCS#12 (.p12 or .pfx) Files

If your certificate and key are bundled in a PKCS#12 format (common in Windows environments), you must specify the file type using --cert-type and provide the password:

curl --cert client.p12:your_password --cert-type P12 https://example.com:8443/api

Verifying the Server Certificate (CA Certificate)

In a true mTLS handshake, you should also verify the server’s identity. If the server is using a certificate signed by a private or self-signed Certificate Authority (CA), use the --cacert option to verify the server’s certificate:

curl --cacert ca.crt --cert client.crt --key client.key https://example.com:8443/api