无法使用libcurl的访问要求客户端身份验证的网站 [英] Unable to use libcurl to access a site requiring client authentication

问题描述

我用下面的剪断，用于设置客户端身份验证证书和密钥。

I’m using the below snipped for setting the certificate and key for client authentication.

  curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem");
  curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit");
  curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
  curl_easy_setopt(curl,CURLOPT_SSLKEY,"privateKey.pem");
  curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,"changeit");
  curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");

该证书没有密码，我不知道为什么在地球上的选项SSLCERTPASSWD存在，我只是提供了一个虚拟的值。
当我在Linux上运行的程序，我得到的58错误code和错误消息
无法设置私钥文件：privateKey.pem类型PEM

The certificate doesn’t have a password, I don’t know why on earth the option SSLCERTPASSWD exists, I just provided a dummy value. When I run the program on Linux I get an error code of 58 and an error message unable to set private key file: 'privateKey.pem' type PEM

在Windows上，但是我得到
无法使用客户端证书（无钥匙上发现或错误口令？）

On Windows however I get unable to use client certificate (no key found or wrong pass phrase?)

这似乎暗示了证书和密钥不匹配，但我不知道怎么办。我已经提取这两个证书，并使用OpenSSL的命令的P12文件的关键。
我用来提取关​​键的命令是

It seems to suggest the certificate and the key don’t match but I don’t know how. I have extracted both the cert and the key from a p12 file using openssl commands. The command I used to extract the key is

openssl.exe pkcs12 -in client.p12 -nocerts -out privateKey.pem

和用于提取证书的指令是

and the command used to extract the cert is

openssl.exe pkcs12 -in client.p12 -nokeys -out clientCert.pem

该P12文件已成功应用在浏览器访问客户端身份验证URL。
之前我拍我请大家帮帮忙。

The p12 file has been successfully used in a browser to access the client authentication url. Please help before I shoot myself.

编辑：
这里是证明私有密钥和证书相互对应的

Here is proof that the private key and the certificate correspond to each other:

[debugbld@nagara ~/curlm]$ openssl x509 -noout -modulus -in clientCert.pem | openssl md5
d7207cf82b771251471672dd54c59927

[debugbld@nagara ~/curlm]$ openssl rsa -noout -modulus -in privateKey.pem | openssl md5
Enter pass phrase for privateKey.pem:
d7207cf82b771251471672dd54c59927

那么，为什么不能工作？

So why can’t it work?

推荐答案

使用命令行卷曲，我已经使用也与OpenSSL的从P12文件获得了.pem文件，该P12也得到了同样的错误能够正常工作在浏览器中导入时做客户端验证。就像你所说的，我想。

Using the command line curl, I've got the same error using a .pem file that was also obtained with openssl from a p12 file, The p12 was also able to working properly doing client authentication when imported in a browser. Just like you described, I think.

我的问题是因为.pem文件没有列出正确的顺序证书造成的：似乎在文件中的每个证书都必须遵循它的颁发者证书。 我编辑的文件，并改变了部分的顺序和卷曲很高兴

My problem was caused because the .pem file was not listing the certificates in the proper order: seems that each certificate in the file has to be followed by its issuer certificate. I edited the file and changed the order of the sections and curl was happy.

有关纪录，被从Firefox备份的证书得到我最初的.p12文件。

For the record, my original .p12 file was obtained by backing up a certificate from Firefox.

另外请注意，在我的情况，我没有得到提示输入密码，并获得

Also note that in my case, I was not getting prompted for the password and was getting the

curl: (58) unable to set private key file: 'alice.pem' type PEM

密码提示之前

这篇关于无法使用libcurl的访问要求客户端身份验证的网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！