unable to use client certificate(no key found or wrong pass phrase?)

Question

I am trying to make a SOAP call to a server using CURL as belows.

The Requirement is

We need to pass the ssl certificate and pass the Username and Password

    $ssl = "ssl_file_relative_address.pem";
    $pub_ssl_password = 'mynameiskhan';
    //Get the data
    $data = the_data_xml.xml;
    //Get the WSDL Address
    $wsdl = "address/to/wsdl?parameter=value";
    $soapUser = "Username";  //  username
    $soapPassword = "password"; // password

    $options = [
        CURLOPT_RETURNTRANSFER => TRUE,
        CURLOPT_FOLLOWLOCATION => TRUE,
        CURLOPT_SSL_VERIFYHOST => FALSE,
        CURLOPT_SSL_VERIFYPEER => FALSE,
        CURLOPT_URL => $wsdl,
        CURLOPT_SSLCERT => $ssl,
        //CURLOPT_SSLCERTPASSWD => $pub_ssl_password,
        CURLOPT_USERPWD => $soapUser.":".$soapPassword,
        CURLOPT_HTTPAUTH => CURLAUTH_BASIC
    ];

    $ch = curl_init();
    curl_setopt_array($ch , $options);
    $response = curl_exec($ch);
    //curl_close($ch);
    if (curl_errno($ch)) {
        print curl_error($ch); 
    }

I'm getting the following Error from CURL : unable to use client certificate (no key found or wrong pass phrase?)

What is it that I'm doing Wrong...

Answer 1

Found the Solution. It required an intermediate CA Certificate.
The Solution is

$options = [
    CURLOPT_HTTPHEADER => ['Content-type: application/json'],
    CURLOPT_URL => 'https://address/to/service?param=value',
    CURLOPT_SSL_VERIFYPEER => 0,
    CURLOPT_CAINFO => getcwd()."\cacert.pem",
    URLOPT_SSLCERT => getcwd().'\cert.pem',
    CURLOPT_SSLCERTPASSWD => 'ssl_password',
    CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
    CURLOPT_USERPWD => $soapUser.":".$soapPassword,
    CURLOPT_POST => 1,
    CURLOPT_POSTFIELDS => $data
];

$ch = curl_init();
curl_setopt_array($ch , $options);
$response = curl_exec($ch);

if (curl_errno($ch)) {
    print curl_error($ch); 
}else{
    print_r($response);
}

curl_close($ch);

Do not forget to mention the CURLOPT_HTTPHEADER to its content type, it is important.
Also download the intermediate certificate from https://curl.haxx.se/ca/cacert.pem . It contains all the valid CA's.

Thanks @drew010 for help.

Answer 2

When you specify a client authentication certificate using CURLOPT_SSLCERT , the PEM file should contain a -----BEGIN CERTIFICATE----- line followed by the certificate.

You also need to supply cURL with the corresponding private key to the certificate using CURLOPT_SSLKEY which is a file beginning with -----BEGIN PRIVATE KEY----- .

If the private key is in ssl_file_relative_address.pem , then try copying the private key to a separate file.

If the private key is encrypted, you can specify the password using CURLOPT_SSLKEYPASSWD .