SSL certificate generated with OpenSSL not working on NSS
The failure was due to my PKCS#8 private key format:
- With a PKCS#8 private key
-----BEGIN ENCRYPTED PRIVATE KEY----- header
or
-----BEGIN PRIVATE KEY----- header
curl+openssl works, but not curl+nss+libnsspem.so
- With a RSA private key
-----BEGIN RSA PRIVATE KEY----- header
both curl+openssl and curl+nss+libnsspem.so work.
So use this command openssl rsa -in key.pem -out newkey.pem to remove the pass phrase on an RSA private key:
0x3d
Updated on June 13, 2022Comments
-
0x3d almost 2 years
I have SSL certificate ( key.pem, cacert.pem, pcert.pem ) generated with OpenSSL on Linux Mint machine. Now I'm trying to move my application to another server where is installed Fedora 18 with NSS.
cURL is returning this error:
unable to load client key: -8178 (SEC_ERROR_BAD_KEY)I tested again and on my computer is working fine but on server not. I think it's because I used OpenSSL to generate certificates but on server is installed NSS.
I can't find how to generate certificates with "certutil" or with "openssl" to be valid with NSS.
-
cronfy almost 7 yearsIf you don't want to remove passphrase from your key, just use another encryption algorythm, thatcurl+nsswill successfully understand. Useopenssl rsa -des3 -in your.key -out your.encrypted.keyto reencrypt it. -
Ján Lalinský about 6 years@cronfy, des3 is the only cipher that curl+nss seems to accept on Centos 7.4. Any ideas what's up with that?
-
Ján Lalinský about 6 yearsApparently this is a known bug, reported in 2016. nss-pem does not support keys that use encryption other than des. -- bugzilla.redhat.com/show_bug.cgi?id=1369251
