Certificate not accepted. Unable to set private key file

Question

I try to make a connection through SoapClient. I need a certificate for this. I received a .pfx certificate. I used the following command to create a .pem file.

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

There is a password in the certificate so I need to enter it before I get the cert.pem file. So far so good, I think.

Now I try to connect to the WSDL service.

$url = "https://test.website.com/webservices/transfer.asmx?WSDL";
$cert = '/path/to/cert.pem';
$passphrase = "12345678";                                               

$soapClient = new SoapClient($url, array('local_cert'=>$cert,'passphrase'=>$passphrase));

I get the following error:

(Warning) SoapClient::SoapClient(): Unable to set private key file `/var/www/vhosts/............./cert.pem'

I think the problem is the certificate. Is the way that I converted the .pfx to a .pem the correct way?

Answer 1

The problem you're running into is that a .pem certificate is always supposed to be an encrypted file. According to the OpenSSL docs for the pkcs12 command when you used -nodes it didn't encrypt anything, rather put each node into plain text, which caused the .pem certificate to be invalid and your SoapClient couldn't parse the invalid file.

To fix this, hopefully you haven't deleted the original cert.pfx, just re-convert it using this line:

openssl pkcs12 -in cert.pfx -out cert.pem -clcerts

and your cert.pem file will be correct.

Answer 2

Today I had this problem with an invalid Cert/Private combination, meaning the cert wasn't belonging to the specified key.

You can verify this problem using:

openssl rsa  -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5

key and cert should return the same checksum. If not, somebody has mixed up some files.

The same procedure works for CSRs as well:

# and for a CSR
openssl req -noout -modulus -in server.csr | openssl md5