All geek questions in one place

Getting (58) inability to use a client certificate (without a key or an incorrect phrase?) From curl

I am trying to make test calls for a third-party API that requires a client certificate. I generated a new certificate using this command with openssl:

req -new -newkey rsa:2048 -nodes -out mycsr.csr -keyout mykey.key

Then I sent them csr and they sent me mycert.crt back. I combined the certificate and key together:

 cat mycert.crt mykey.key > mycertandkey.pem

Finally, I added mycert.crt to the ca-cert and ca-certificates.conf folder and ran "update-ca-certificates -fresh".

Now I am trying to make a curl call from bash using the following command:

 curl -X GET --cert mycertandkey.pem -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com

I also tried:

 curl -X GET --cert mycertandkey.pem --cacert mycert.crt -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com

and

 curl -X GET --cert mycertandkey.pem --cacert mycert.crt --key mykey.key -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com

And every other combination that I can think of. I always get the error message " curl: (58) cannot use the client certificate (the key was not found or the phrase is incorrect?) . The key does not have a passphrase. All cert / key files have 777 permissions.

I have not worked much with certificates in the past, and it seems to me that I missed something, especially since I seem to have only one certificate. Is there a certificate that another company sent me cacert or is it my client certificate? Did I connect the secret key with the wrong certificate?

I found a lot of step-by-step information about this on the Internet, but if anyone knows a good tutorial on this, I would appreciate it too.

+6
source share
2 answers

Adding a phrase to my private key helped solve my problem.

I used the following command to add a passphrase:

 ssh-keygen -p -f mykey.key

Before I could successfully execute this command, I needed to change the permissions of the key file. 777 is not restrictive enough and ssh-keygen will not touch it. Change permissions to 600 fixed.

 chmod 600 mykey.key

After adding the passphrase, I recreated the .pem file. Now I can successfully make curl calls with this command:

 curl -X GET --cert mycertandkey.pem:mypassphrase -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com
+7
source

If you can’t use the locally generated certificates and come here from https://developer.tizen.org/forums/native-application-development/curl-ssl-problem-local-ssl-certificate ...

This can be if the generated self-signed local certificates for development are incorrect (at first I tried with one command openssl req -x509 -config./openssl-ca.cnf -newkey rsa: 4096 -sha256 -nodes -out cacert.pem -out PEM form but this did not work then with the error "curl_easy_perform () failed: problem with local SSL certificate").

Probably the correct path should be as described in the following link (to create local self-signed three files for development purposes with client authentication): https://blog.atulr.com/localhost-https/

(and then I checked that I can use the received certificates with libcurl, see the simplessl.c example and just update the file names to something similar inside this simplessl.c example:

 static const char *pCertFile = "localdomain.crt"; static const char *pCACertFile = "cacert.pem"; pKeyName = "localdomain.insecure.key";
0
source

Source: https://habr.com/ru/post/985682/

More articles:


All Articles