PHP CURL error: unable to use client certificate (no key found or wrong pass phrase?)

Question

I am doing this:

$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '2'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1'); 
curl_setopt($ch, CURLOPT_CAINFO,  getcwd().'/public.pem'); 
curl_setopt($ch, CURLOPT_SSLCERT, getcwd().'/private.key'); 
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, '1234');
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, '1234'); 
curl_setopt($ch, CURLOPT_URL, "http://api-xxxxxx.duosecurity.com/auth/v2/preauth");
$dataa = curl_exec($ch);

I am getting this error: unable to use client certificate (no key found or wrong pass phrase?)

What am I missing? If the code is ok then could you please guide me on how to generate a pair of certificates for this purpose using either openssl OR ssh-keygen ?

Answer 1

This is how you connect to yahoo over HTTPS

$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '2'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1'); 
curl_setopt($ch, CURLOPT_URL, "https://m.yahoo.com/");
$dataa = curl_exec($ch);

You do not use client certificates to talk to HTTPS hosts.

The reasons that browers/clients don't use client certificates are too varied to list here.

It seems that client certificates are a method of authenticating - or logging in - to a web site - they are not part of encrypting the communication to the server.

https://en.wikipedia.org/wiki/Client_certificate

https://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/

http://blogs.msdn.com/b/kaushal/archive/2012/02/18/client-certificates-vs-server-certificates.aspx

Update

After learning that the original question concerns duosecurity's API, and not a regular yahoo http connection, I looked at duo's API documents and JS & PHP client libraries. I cannot find any reference to client side SSL certificates.

To circle back and tackle the original error of "no key found or wrong pass phrase" we should look at the CURLOPT_* settings.

In the original question, the cert and key are identified incorrectly with curlopt settings.

$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, '1'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '2'); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1'); 

curl_setopt($ch, CURLOPT_SSLCERT,  getcwd().'/public.pem'); 
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, '1234');

curl_setopt($ch, CURLOPT_SSLKEY, getcwd().'/private.key'); 
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, '1234'); 
curl_setopt($ch, CURLOPT_URL, "http://api-xxxxxx.duosecurity.com/auth/v2/preauth");
$dataa = curl_exec($ch);

Use SSLCERT(PASSWORD) and SSLKEY(PASSWORD) to enable client side certificates. It is unlikely that your client side certificates needs a CA - CURLOPT_CAINFO is only used to help identify the peer, not yourself.