Getting (58) unable to use client certificate (no key found or wrong pass phrase?) from curl

Question

I'm attempting to make test calls to a third-party API that requires a client cert. I generated a new cert using this command with openssl:

req -new -newkey rsa:2048 -nodes -out mycsr.csr -keyout mykey.key

I then sent them the csr, and they sent me back mycert.crt. I concatenated the cert and the key together:

cat mycert.crt mykey.key > mycertandkey.pem

Finally, I added mycert.crt to the ca-certificates folder and ca-certificates.conf and ran "update-ca-certificates --fresh".

Now, I'm trying to make curl call from bash using the following command:

curl -X GET --cert mycertandkey.pem -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com

I've also tried:

curl -X GET --cert mycertandkey.pem --cacert mycert.crt -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com

and:

curl -X GET --cert mycertandkey.pem --cacert mycert.crt --key mykey.key -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com

And every other combination I can think of. I always get the error "curl: (58) unable to use client certificate (no key found or wrong pass phrase?)". The key doesn't have a passphrase. All of the cert/key files have 777 permissions.

I haven't worked much with certs in the past and I feel like I've missed something, especially since I seem to have only one cert. Is the cert that the other company sent me a cacert or is it my client cert? Did I concatenate the private key to the wrong cert?

I've found a lot of piecemeal information about this online, but if anyone knows of a good tutorial on this subject, I'd really appreciate that as well.

Answer 1

If you cannot use localy generated certs and came here from https://developer.tizen.org/forums/native-application-development/curl-ssl-problem-local-ssl-certificate ...

It could be if generated self-signed local certs for development incorrectly (first I tried with one command openssl req -x509 -config ./openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM , but it didn't work then with error "curl_easy_perform() failed: Problem with the local SSL certificate").

The correct way probably should be like described with the next link (for generating local self-signed, three files, for dev purpose with client authentication): https://blog.atulr.com/localhost-https/

(and then I tested that I can use resulted certs with libcurl then, see example simplessl.c, and just update file names to something like this inside of this simplessl.c example:

static const char *pCertFile = "localdomain.crt";
static const char *pCACertFile = "cacert.pem";
pKeyName  = "localdomain.insecure.key";

Answer 2

Adding a pass phrase to my private key solved my problem.

I used the following command to add the passphrase:

ssh-keygen -p -f mykey.key

Before I could run that command successfully, I needed to change the permissions on the key file. 777 is not restrictive enough, and ssh-keygen would not touch it. Changing the permissions to 600 fixed that.

chmod 600 mykey.key

After adding the passphrase, I recreated the .pem file. Now I can successfully make curl calls with it using this command:

curl -X GET --cert mycertandkey.pem:mypassphrase -H 'Accept-Encoding: gzip,deflate' -H 'Content-Type: application/json' https://api.URL.com