8

I have SSL certificate ( key.pem, cacert.pem, pcert.pem ) generated with OpenSSL on Linux Mint machine. Now I'm trying to move my application to another server where is installed Fedora 18 with NSS.

cURL is returning this error:

unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

I tested again and on my computer is working fine but on server not. I think it's because I used OpenSSL to generate certificates but on server is installed NSS.

I can't find how to generate certificates with "certutil" or with "openssl" to be valid with NSS.

0x3d
  • 460
  • 1
  • 8
  • 27

1 Answers1

16

The failure was due to my PKCS#8 private key format:
- With a PKCS#8 private key
-----BEGIN ENCRYPTED PRIVATE KEY----- header
or
-----BEGIN PRIVATE KEY----- header
curl+openssl works, but not curl+nss+libnsspem.so
- With a RSA private key
-----BEGIN RSA PRIVATE KEY----- header
both curl+openssl and curl+nss+libnsspem.so work.

So use this command openssl rsa -in key.pem -out newkey.pem to remove the pass phrase on an RSA private key:

jfly
  • 7,715
  • 3
  • 35
  • 65
  • 1
    If you don't want to remove passphrase from your key, just use another encryption algorythm, that `curl+nss` will successfully understand. Use `openssl rsa -des3 -in your.key -out your.encrypted.key` to reencrypt it. – cronfy Aug 03 '17 at 15:13
  • @cronfy, des3 is the only cipher that curl+nss seems to accept on Centos 7.4. Any ideas what's up with that? – Ján Lalinský Mar 20 '18 at 16:58
  • Apparently this is a known bug, reported in 2016. nss-pem does not support keys that use encryption other than des. -- https://bugzilla.redhat.com/show_bug.cgi?id=1369251 – Ján Lalinský Mar 20 '18 at 18:06