Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unable to use libcurl to access a site requiring client authentication

I’m using the below snipped for setting the certificate and key for client authentication.

  curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem");
  curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit");
  curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
  curl_easy_setopt(curl,CURLOPT_SSLKEY,"privateKey.pem");
  curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,"changeit");
  curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");

The certificate doesn’t have a password, I don’t know why on earth the option SSLCERTPASSWD exists, I just provided a dummy value. When I run the program on Linux I get an error code of 58 and an error message unable to set private key file: 'privateKey.pem' type PEM

On Windows however I get unable to use client certificate (no key found or wrong pass phrase?)

It seems to suggest the certificate and the key don’t match but I don’t know how. I have extracted both the cert and the key from a p12 file using openssl commands. The command I used to extract the key is

openssl.exe pkcs12 -in client.p12 -nocerts -out privateKey.pem

and the command used to extract the cert is

openssl.exe pkcs12 -in client.p12 -nokeys -out clientCert.pem

The p12 file has been successfully used in a browser to access the client authentication url. Please help before I shoot myself.

Edit: Here is proof that the private key and the certificate correspond to each other:

[debugbld@nagara ~/curlm]$ openssl x509 -noout -modulus -in clientCert.pem | openssl md5
d7207cf82b771251471672dd54c59927

[debugbld@nagara ~/curlm]$ openssl rsa -noout -modulus -in privateKey.pem | openssl md5
Enter pass phrase for privateKey.pem:
d7207cf82b771251471672dd54c59927

So why can’t it work?

like image 877
Hugh Darling Avatar asked May 25 '11 12:05

Hugh Darling


1 Answers

Using the command line curl, I've got the same error using a .pem file that was also obtained with openssl from a p12 file, The p12 was also able to working properly doing client authentication when imported in a browser. Just like you described, I think.

My problem was caused because the .pem file was not listing the certificates in the proper order: seems that each certificate in the file has to be followed by its issuer certificate. I edited the file and changed the order of the sections and curl was happy.

For the record, my original .p12 file was obtained by backing up a certificate from Firefox.

Also note that in my case, I was not getting prompted for the password and was getting the

curl: (58) unable to set private key file: 'alice.pem' type PEM

before the password prompt

like image 167
xverges Avatar answered Sep 23 '22 13:09

xverges