curl: (58) Unable to load client key -8178

Question

I am facing an SSL issue with the curlcommand. I want to reach an URL using my SSL client certificate and private key.

This is my command:

$ curl -k -v "https://myurl.com/" --cert ./certificate.pem --key ./private.key  * About to connect() to xx.xx.xx.xx port 23444 (#0) *   Trying xx.xx.xx.xx... connected * Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 23444 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * Unable to load client key -8178. * NSS error -8178 * Closing connection #0 curl: (58) Unable to load client key -8178. 

The key is password protected, curl is not asking me to enter the password, which is very strange. Even if I pass the password with --pass, I still get the same error.

It seems that the argument --key is not considered, because If I replaced with foo.key, which doesn't exist on my filesystem, I still get the same error.

However, If use:

$ wget --certificate=./certificate.pem --private-key=private.key "https://myurl.com/" --no-check-certificate 

I am able to reach my URL.

Do you have any idea?

Answer 1

I've gone through the same problem, and found a solution finally, maybe it can help you.

The failure was due to the private key in PKCS#8 format:

• a PKCS#8 private key starts with -----BEGIN ENCRYPTED PRIVATE KEY----- header
  or
  -----BEGIN PRIVATE KEY----- header

  With this key curl + openssl will works, but curl + nss + libnsspem.so wouldn't.

• with a RSA private key which starts with
  -----BEGIN RSA PRIVATE KEY----- header

  both curl + openssl and curl + nss + libnsspem.so will work.

So use this command

openssl pkcs8 -in path/to/your/pkcs8/key -out path/to/rsa/key 

to convert the PKCS#8 key to traditional RSA key.

Answer 2

If your certificate has a passphrase you should add it after the certificate name:

curl -k -v "https://myurl.com/" --cert ./certificate.pem:passphrase --key ./private.key