1. Generate a CA-signed certificate at /casign
2. Download your files — you'll need the .cer (certificate) and .pkey (private key)
3. Connect to the mTLS endpoint using curl with your client certificate
4. Get a JSON response with your certificate details if the handshake succeeds

After generating a CA-signed certificate, use curl to connect:

# Using the .cer and .pkey files from your CA-signed cert
curl https://getacert.com:8443/ \
  --cert your-cert.cer \
  --key your-cert.pkey \
  --pass password

Successful response:

{
  "status": "ok",
  "message": "mTLS handshake successful! Your certificate is valid and signed by the getaCert CA.",
  "client_dn": "CN=test.example.com,O=Example Corp,C=US",
  "client_serial": "0A1B2C3D...",
  "valid_from": "Mar 17 12:00:00 2026 GMT",
  "valid_until": "Apr 16 12:00:00 2026 GMT"
}

If it fails:

# No client cert → 400 Bad Request
curl: (56) OpenSSL SSL3 read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required

# Wrong CA (self-signed cert, not CA-signed) → 400 Bad Request
curl: (56) SSL peer rejected your certificate as unrecognized

If you prefer to use the .p12 bundle instead of separate cert and key files:

# Convert .p12 to separate PEM files
openssl pkcs12 -in your-cert.p12 -clcerts -nokeys -out client.crt -passin pass:password
openssl pkcs12 -in your-cert.p12 -nocerts -nodes -out client.key -passin pass:password

# Then connect
curl https://getacert.com:8443/ --cert client.crt --key client.key

Or use curl's PKCS#12 support directly:

curl https://getacert.com:8443/ --cert-type P12 --cert your-cert.p12:password