I am using curl to download data from a https site using public certificate files.
System information:
The command is,
curl -v "https://<ip:<port>" --cert "./cert.pem" --cacert "./cacert.pem" --cert-type PEM
* About to connect() to kng.com port 443 (#0)
* Trying 11.19.37.123...
* Adding handle: conn: 0x8189e68
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x8189e68) send_pipe: 1, recv_pipe: 0
* Connected to fkng.com (11.19.37.123) port 443 (#0)
* unable to set private key file: './cert.pem' type PEM
* Closing connection 0
curl: (58) unable to set private key file: './cert.pem' type PEM
I have have given all the permission to the .pem file, still curl is throwing an error.
After reading cURL documentation on the options you used, it looks like the private key of certificate is not in the same file. If it is in different file, you need to mention it using --key file and supply passphrase.
So, please make sure that either cert.pem has private key (along with the certificate) or supply it using --key option.
Also, this documentation mentions that Note that this option assumes a "certificate" file that is the private key and the private certificate concatenated!
How they are concatenated? It is quite easy. Put them one after another in the same file.
You can get more help on this here.
I believe this might help you.
Im not sure If this will help anyone but I was getting this error (although I was using php to create it instead of the command line) and to fix it I had to ensure that no old .key or .pem files were in the directory I was looking at. By deleting them and making fresh files with the authentication it worked perfectly!
I had the same issue, eventually I found a solution that works without splitting the file, by following Petter Ivarrson's answer
My problem was when converting .p12 certificate to .pem. I used:
openssl pkcs12 -in cert.p12 -out cert.pem
This converts and exports all certificates (CA + CLIENT) together with a private key into one file.
The problem was when I tried to verify if the hashes of certificate and key are matching by running:
// Get certificate HASH
openssl x509 -noout -modulus -in cert.pem | openssl md5
// Get private key HASH
openssl rsa -noout -modulus -in cert.pem | openssl md5
This displayed different hashes and that was the reason CURL failed. See here: https://michaelheap.com/curl-58-unable-to-set-private-key-file-server-key-type-pem/
I guess that was because all certificates are inside a file (CA + CLIENT) and CURL takes CA certificate instead of CLIENT one. Because CA is first in the list.
So the solution was to export only CLIENT certificate together with private key:
openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
``
Now when I re-run the verification:
```sh
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in cert.pem | openssl md5
HASHES MATCHED !!!
So I was able to make a curl request by running
curl -ivk --cert ./cert.pem:KeyChoosenByMeWhenIrunOpenSSL https://thesite.com
without problems!!!
That being said... I think the best solution is to split the certificates into separate file and use them separately like Petter Ivarsson wrote:
curl --insecure --key key.pem --cacert ca.pem --cert client.pem:KeyChoosenByMeWhenIrunOpenSSL https://thesite.com
I faced this issue when I had used Open SSL and the solution was to split the cert in 3 files and use all of them doing the call with Curl:
openssl pkcs12 -in mycert.p12 -out ca.pem -cacerts -nokeys
openssl pkcs12 -in mycert.p12 -out client.pem -clcerts -nokeys
openssl pkcs12 -in mycert.p12 -out key.pem -nocerts
curl --insecure --key key.pem --cacert ca.pem --cert client.pem:KeyChoosenByMeWhenIrunOpenSSL https://thesite
I have a similar situation, but I use the key and the certificate in different files.
in my case you can check the matching of the key and the lock by comparing the hashes (see https://michaelheap.com/curl-58-unable-to-set-private-key-file-server-key-type-pem/). This helped me to identify inconsistencies.
Source: Stackoverflow.com