Unable to use libcurl to access a site requiring client authentication

old_as_a_fossil · May 25, 2011, 10:23am

I�m using the below snipped for setting the certificate and key for client authentication.

 curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem");
curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit"); 
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM"); 
curl_easy_setopt(curl,CURLOPT_SSLKEY,"privateKey.pem"); 
curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,"changeit"); 
curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");

The certificate doesn�t have a password, I don�t know why on earth the option SSLCERTPASSWD exists, I just provided a dummy value. When I run the program on Linux I get an error code of 58 and an error message unable to set private key file: 'privateKey.pem' type PEMOn Windows however I get unable to use client certificate (no key found or wrong pass phrase?)
It seems to suggest the certificate and the key don�t match but I don�t know how. I have extracted both the cert and the key from a p12 file using openssl commands. The command I used to extract the key is
openssl.exe pkcs12 -in client.p12 -nocerts -out privateKey.pem
and the command used to extract the cert is
openssl.exe pkcs12 -in client.p12 -nokeys -out clientCert.pem

The p12 file has been successfully used in a browser to access the client authentication url. Please help before I shoot myself.

Corona688 · May 25, 2011, 10:25am

Try not doing SSLKEYPASSWD at all, if it doesn't have a password don't give it one.

old_as_a_fossil · May 25, 2011, 11:07am

Well I tried without specifying the SSLCERTPASSWORD also, faced the same result...

---------- Post updated at 09:57 AM ---------- Previous update was at 09:30 AM ----------

Here is proof that the private key and the certificate correspond to each other:
[debugbld@nagara ~/curlm]$ openssl x509 -noout -modulus -in clientCert.pem | openssl md5
d7207cf82b771251471672dd54c59927
[debugbld@nagara ~/curlm]$ openssl rsa -noout -modulus -in privateKey.pem | openssl md5
Enter pass phrase for privateKey.pem:
d7207cf82b771251471672dd54c59927

So why can't it work?

---------- Post updated at 10:07 AM ---------- Previous update was at 09:57 AM ----------

I'm facing the same result with the command line curl when I tried with the client certificate and private key concatenated:

curl --cert concatenatedCert.pem --cert-type PEM --cacert cabundle.crt https://inaveo:8775/DataIntegrationService/WebService/WS_test/
Enter PEM pass phrase:
curl: (58) unable to set private key file: 'concatenatedCert.pem' type PEM