Ivan Ivan -4 years ago 855
PHP Question

curl "Peer's public key is invalid." unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

I'm trying connect my PHP app to the server, which require auth by private key and does not have certs on public servers.

API location: https://b2b.postaonline.cz/

To acces the API from browser, I have installed these certs: http://www.postsignum.cz/certifikaty_autorit.html (PEM)

then I was able to connect with my .pfx cert, retrieved from PostSignum.

However, I'm unable to connect from Linux server, using curl. Ofc, I have searched and tested stuff several hours - like converting private to RSA and so on.

So current status is, that I have used received .pfx and extracted stuff like this:

openssl pkcs12 -in certificate.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in certificate.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in certificate.pfx -out key.pem -nocerts


After, I've used curl to connect:

$ curl -v --key ./key.pem --cacert ./ca.pem --cert ./client.pem https://b2b.postaonline.cz/
* Trying 193.150.24.113...
* Connected to b2b.postaonline.cz (193.150.24.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./ca.pem
CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)


This is something I'm getting with all the variations.

Notes: when I have loaded my certificate.pfx to the browser, connection was still insecure. So I have downloaded following from PostSignum cert site and loaded them into the browser

Postsignum Root QCA 2
Postsignum Public CA 2


just after that I was able to connect from browser.

I think this is something, I need to do also in the curl, but I have no idea how. With the ca.pem and client.pem, which are extracted just from certificate.pfx - I think curl is running into the same trouble as browaser was before additional Authoritiy certs was loaded. Any idea how to use that ?

Thank you.

Answer Source

there were 2 issues combined, now fixed - thanks to strace.

1) I have to supply RSA private key, as mentioned in other posts 2) when using local private key file with passphrase, we can supply it as ./key:pass, but by using --pass {phrase} option

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download