curl "Peer's public key is invalid." unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

Ivan picture Ivan · Dec 15, 2016 · Viewed 7.2k times · Source

I'm trying connect my PHP app to the server, which require auth by private key and does not have certs on public servers.

API location: https://b2b.postaonline.cz/

To acces the API from browser, I have installed these certs: http://www.postsignum.cz/certifikaty_autorit.html (PEM)

then I was able to connect with my .pfx cert, retrieved from PostSignum.

However, I'm unable to connect from Linux server, using curl. Ofc, I have searched and tested stuff several hours - like converting private to RSA and so on.

So current status is, that I have used received .pfx and extracted stuff like this:

 openssl pkcs12 -in certificate.pfx -out ca.pem -cacerts -nokeys
 openssl pkcs12 -in certificate.pfx -out client.pem -clcerts -nokeys
 openssl pkcs12 -in certificate.pfx -out key.pem -nocerts

After, I've used curl to connect:

$ curl -v  --key ./key.pem --cacert ./ca.pem --cert ./client.pem https://b2b.postaonline.cz/
*   Trying 193.150.24.113...
* Connected to b2b.postaonline.cz (193.150.24.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ./ca.pem
  CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

This is something I'm getting with all the variations.

Notes: when I have loaded my certificate.pfx to the browser, connection was still insecure. So I have downloaded following from PostSignum cert site and loaded them into the browser

Postsignum Root QCA 2
Postsignum Public CA 2

just after that I was able to connect from browser.

I think this is something, I need to do also in the curl, but I have no idea how. With the ca.pem and client.pem, which are extracted just from certificate.pfx - I think curl is running into the same trouble as browaser was before additional Authoritiy certs was loaded. Any idea how to use that ?

Thank you.

Answer

Ivan picture Ivan · Feb 27, 2017

There were 2 issues combined, now fixed - thanks to strace.

  1. I have to supply RSA private key, as mentioned in other posts
  2. When using a local private key file with passphrase, we can't supply it as ./key:pass, but by using --pass {phrase} option