Using SSL client certificate authentication with QualysGuard API v1 and v2

If your QualysGuard account is configured with SSL certificates for two factor authentication, you also need a certificate to make call to the API v1 and API v2.

Here is an example using "curl" that shows you how to use the certificates in a PEM format.


API v1:


$ curl --cert ./cert.pem:my_passphrase -u "user:pass" ""



API v2:

$ curl --cert ./cert.pem:my_passphrase -u "user:pass" -H "X-Requested-With:curl"  ""


Important comments:

  1. The option --cert is used to indicate to curl where the certificate is located. In this example the file "cert.pem" is located in the current folder and the prefix "./" must be used
  2. Also, the certicate "cert.pem" must contain a private key protected with the pass phrase "my_passphrase" passed to curl as shown in the example
  3. -u "user:pass" is used to do basic authentication using the QualysGuard user names "user" and the password "pass"
  4. -H "X-Requested-With:curl" is the special HTTP header parameter required for any QualysGuard API v2 call.
  5. the URL for client certificate authentication is ""


Your certificate might be provided in a PKCS12 format (.p12 or .pfx file extension). Please use to following command to create a .pem certificate file:


$ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
Enter Import Password: ********          ## enter the password used to protect the private key)
MAC verified OK
Enter PEM pass phrase: **********        ## enter your pass phrase to protect the private key in the new cert.pem file
Verifying - Enter PEM pass phrase: **********


YOU MUST PROVIDE A PASS PHRASE AS SHOWN IN THE TWO LAST LINES. If you don't provide a passphrase, you will get the following curl error message:

curl: (58) unable to set private key file: 'cert.pem' type PEM