SSL certificate generated with OpenSSL not working on NSS

About

Asked 19/3, 2014 at 7:49 Answered 19/3, 2014 at 9:50

I have SSL certificate ( key.pem, cacert.pem, pcert.pem ) generated with OpenSSL on Linux Mint machine. Now I'm trying to move my application to another server where is installed Fedora 18 with NSS.

cURL is returning this error:

unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

I tested again and on my computer is working fine but on server not. I think it's because I used OpenSSL to generate certificates but on server is installed NSS.

I can't find how to generate certificates with "certutil" or with "openssl" to be valid with NSS.

Tophet answered 19/3, 2014 at 7:49 Comment(5)

How do you generate your certificates with openssl? – Prompter 19/3, 2014 at 8:41

And what does your key file start with? I mean -----BEGIN WHAT-----. – Prompter 19/3, 2014 at 8:47

I generate with: openssl pkcs12 -in YOURPFX.pfx -nocerts -out key.pem openssl pkcs12 -in YOURPFX.pfx -clcerts -nokeys -out pcert.pem openssl pkcs12 -in YOURPFX.pfx -cacerts -nokeys -out cacert.pem – Tophet 19/3, 2014 at 9:13

My certificate starts with: -----BEGIN CERTIFICATE----- – Tophet 19/3, 2014 at 9:15

What about the private key? – Prompter 19/3, 2014 at 9:32

The failure was due to my PKCS#8 private key format:
- With a PKCS#8 private key
-----BEGIN ENCRYPTED PRIVATE KEY----- header
or
-----BEGIN PRIVATE KEY----- header
curl+openssl works, but not curl+nss+libnsspem.so
- With a RSA private key
-----BEGIN RSA PRIVATE KEY----- header
both curl+openssl and curl+nss+libnsspem.so work.

So use this command openssl rsa -in key.pem -out newkey.pem to remove the pass phrase on an RSA private key:

Prompter answered 19/3, 2014 at 9:50 Comment(3)

If you don't want to remove passphrase from your key, just use another encryption algorythm, that curl+nss will successfully understand. Use openssl rsa -des3 -in your.key -out your.encrypted.key to reencrypt it. – Washerman 3/8, 2017 at 15:13

@cronfy, des3 is the only cipher that curl+nss seems to accept on Centos 7.4. Any ideas what's up with that? – Authorship 20/3, 2018 at 16:58

Apparently this is a known bug, reported in 2016. nss-pem does not support keys that use encryption other than des. -- bugzilla.redhat.com/show_bug.cgi?id=1369251 – Authorship 20/3, 2018 at 18:6

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags