问题
I am facing an SSL issue with the curlcommand. I want to reach an URL using my SSL client certificate and private key.
This is my command:
$ curl -k -v "https://myurl.com/" --cert ./certificate.pem --key ./private.key
* About to connect() to xx.xx.xx.xx port 23444 (#0)
* Trying xx.xx.xx.xx... connected
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 23444 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* Unable to load client key -8178.
* NSS error -8178
* Closing connection #0
curl: (58) Unable to load client key -8178.
The key is password protected, curl is not asking me to enter the password, which is very strange. Even if I pass the password with --pass, I still get the same error.
It seems that the argument --key is not considered, because If I replaced with foo.key, which doesn't exist on my filesystem, I still get the same error.
However, If use:
$ wget --certificate=./certificate.pem --private-key=private.key "https://myurl.com/" --no-check-certificate
I am able to reach my URL.
Do you have any idea?
回答1:
I've gone through the same problem, and found a solution finally, maybe it can help you.
The failure was due to the private key in PKCS#8 format:
a PKCS#8 private key starts with
-----BEGIN ENCRYPTED PRIVATE KEY-----header
or-----BEGIN PRIVATE KEY-----headerWith this key
curl+opensslwill works, butcurl+nss+libnsspem.sowouldn't.with a RSA private key which starts with
-----BEGIN RSA PRIVATE KEY-----headerboth
curl+opensslandcurl+nss+libnsspem.sowill work.
So use this command
openssl pkcs8 -in path/to/your/pkcs8/key -out path/to/rsa/key
to convert the PKCS#8 key to traditional RSA key.
回答2:
If your certificate has a passphrase you should add it after the certificate name:
curl -k -v "https://myurl.com/" --cert ./certificate.pem:passphrase --key ./private.key
来源:https://stackoverflow.com/questions/20969241/curl-58-unable-to-load-client-key-8178