stuck with php/curl and SSL certificates

chr15t0 · 05-12-2005, 06:44 AM

right - I'm really stuck here.

I am using php/curl to talk to a remote system. I have been issued with a client certificate, which basically consists of a private key concatenated with a certificate. I slurp all this into $clientcert and specify it using

curl_setupt($ch, CURLOPT_SSLCERT, $clientcert);

I have also exported this certificate with the private key, converted it into a .pem file and pasted the private key section into a file called clientkey.key. I'm pointing curl at this using:

curl_setopt($ch, CURLOPT_SSLKEY, $clientkey);

where $clientkey contains the path to the clientkey.key file.

I also have the SSLCERTPASSWD specified, and it's definitely right

However I still get this error: 58 - unable to use client certificate (no key found or wrong pass phrase?).

I have this working just perfectly from the command line, so I really just want to translate this command into the php/curl equivalent:

Quote:

curl -E /export/newtos/frontend/etc/client-cert.pem:blabla --cacert /export/newtos/frontend/etc/northside.pem --data-binary @/root/temp/file-converted.txt -H "Content-Type: multipart/related; type="text/xml"; boundary="--someBoundaryValue--"; start="ebXML_Message_Header"" https://www.blabla.com/north

What am I doing wrong here? It could be that I'm missing out the '--cacert' option, which points to the northside.pem, which I think is a root certificate. I get horribly confused with all this stuff.. how do I specify this bundle using curl_setopt()?

Any thoughts would be great,

christo

chr15t0 · 05-13-2005, 05:13 AM

I've finally managed to get the command to work - I realised that I was using the contents of the client certificate instead of a path to the client certificate... I'm not sure why I ended up doing that, but anyway...

so the code now looks like this and seems to work well:

PHP Code:



        $url            =       "https://www.bla.com/foo"; // onramp url 
 
        $clientcert    =       $diagno_libdir."/exported-with-private-key.pem"; 
        $keyfile        =       $diagno_libdir."/clientkey.key"; 
        $challenge      =       "nightmare"; 
 
        print "<bR><BR>$challenge<br><br>"; 
        print "<bR><BR>$keyfile<br><br>"; 
 
        $header = Array(); 
        $header[] = "Content-Type: multipart/related \r\n"; 
        $header[] = "type=text/xml \r\n"; 
        $header[] = "boundary=--someBoundaryValue-- \r\n"; 
        $header[] = "start=ebXML_Message_Header \r\n"; 
        $header[] = $iptest; 
 
        $ch = curl_init(); 
 
        curl_setopt($ch, CURLOPT_URL, $url); 
        curl_setopt($ch, CURLOPT_HEADER, 1); 
        curl_setopt($ch, CURLOPT_VERBOSE, 1); 
        curl_setopt($ch, CURLOPT_POST, 1); 
        curl_setopt($ch, CURLOPT_HTTPHEADER, $header); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); 
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 
        curl_setopt($ch, CURLOPT_FAILONERROR, 1); 
        curl_setopt($ch, CURLOPT_SSLCERT, $clientcert); 
        curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $challenge); 
        curl_setopt($ch, CURLOPT_SSLKEYTYPE, 'PEM'); 
        curl_setopt($ch, CURLOPT_SSLKEY, $keyfile); 
 
        $ret = curl_exec($ch);

hopefully somebody will discover this thread and find our comments useful

best wishes

christo

vedad75019 · 05-20-2005, 06:10 AM

Hi,

I'm a total SSL newbie, and i'm facing the same problem as you...

I have a password protected client certificate. So far, everything's okay.
But i don't have a clue about the "private key" concern.

Could you please explain what does:

Quote:

I have also exported this certificate with the private key, converted it into a .pem file and pasted the private key section into a file called clientkey.key. I'm pointing curl at this using:

mean?

Thanks!
Best regards