1

I'm trying connect my PHP app to the server, which require auth by private key and does not have certs on public servers.

API location: https://b2b.postaonline.cz/

To acces the API from browser, I have installed these certs: http://www.postsignum.cz/certifikaty_autorit.html (PEM)

then I was able to connect with my .pfx cert, retrieved from PostSignum.

However, I'm unable to connect from Linux server, using curl. Ofc, I have searched and tested stuff several hours - like converting private to RSA and so on.

So current status is, that I have used received .pfx and extracted stuff like this:

 openssl pkcs12 -in certificate.pfx -out ca.pem -cacerts -nokeys
 openssl pkcs12 -in certificate.pfx -out client.pem -clcerts -nokeys
 openssl pkcs12 -in certificate.pfx -out key.pem -nocerts

After, I've used curl to connect:

$ curl -v  --key ./key.pem --cacert ./ca.pem --cert ./client.pem https://b2b.postaonline.cz/
*   Trying 193.150.24.113...
* Connected to b2b.postaonline.cz (193.150.24.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ./ca.pem
  CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

This is something I'm getting with all the variations.

Notes: when I have loaded my certificate.pfx to the browser, connection was still insecure. So I have downloaded following from PostSignum cert site and loaded them into the browser

Postsignum Root QCA 2
Postsignum Public CA 2

just after that I was able to connect from browser.

I think this is something, I need to do also in the curl, but I have no idea how. With the ca.pem and client.pem, which are extracted just from certificate.pfx - I think curl is running into the same trouble as browaser was before additional Authoritiy certs was loaded. Any idea how to use that ?

Thank you.

jww
  • 97,681
  • 90
  • 411
  • 885
Ivan
  • 315
  • 1
  • 3
  • 16
  • Also see [SSL certificate generated with OpenSSL not working on NSS](http://stackoverflow.com/q/22499425), [Problem with curl + nss](https://curl.haxx.se/mail/archive-2010-07/0009.html) on the cURL mailing list, [NSS and SSL Error Codes](http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html) on Mozilla's site, etc. – jww Dec 16 '16 at 04:21
  • saw them already, none of those works for me – Ivan Dec 16 '16 at 11:20
  • Please place answers in an Answer block. After a time period, you will be able to accept your own answer. Using an Answer block is just the way Stack Overflow works, and it makes it easy for future visitors to evaluate answers. Also see [How does accepting an answer work?](http://meta.stackexchange.com/q/5234/173448) – jww Feb 26 '17 at 18:02

1 Answers1

1

There were 2 issues combined, now fixed - thanks to strace.

  1. I have to supply RSA private key, as mentioned in other posts
  2. When using a local private key file with passphrase, we can't supply it as ./key:pass, but by using --pass {phrase} option
Sergey Nemchinov
  • 1,348
  • 15
  • 21
Ivan
  • 315
  • 1
  • 3
  • 16
  • Thanks for followup explanation! But why is the private key necessary? Ok is that the *client's* private key (with client public key being cert.pem), not the server key? This worked for me to curl a docker server that has a self-signed cert and requires a client cert: curl -v --cert ~/.docker/machine/machines/100/cert.pem --cert-type PEM --cacert ~/.docker/machine/machines/100/ca.pem --key ~/.docker/machine/machines/100/key.pem --key-type PEM https://192.168.1.100:2376/ – jamshid Jun 27 '18 at 06:23
  • Yea, this is often caused by not having the private key in the right format. See https://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key – Yuri Nov 19 '19 at 08:00