Search code examples
phpsslpempassphrasep12

PHP CURL request for a P12 (PFX) certificate with an export password (Passphrase)

Based on the PEM certificate and a key file, I'm creating two P12 (Pfx) files, with and without passphrase

  • demo_cert.pem

  • demo_key.pem

  • demo_pfx_withoutPassphrase.p12

  • demo_pfx_withPassphrase.p12

    openssl pkcs12 -export -clcerts -in demo_cert.pem -inkey demo_key.pem -out demo_pfx_withoutPassphrase.p12

Enter Export Password:  (empty)
Verifying - Enter Export Password:  (empty)


openssl pkcs12 -export -clcerts -in demo_cert.pem -inkey demo_key.pem -out demo_pfx_withPassphrase.p12 

Enter Export Password:  12345
Verifying - Enter Export Password: 12345

This file is used to communicate with the server.

<? php
try{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($curl, CURLOPT_HEADER, 0);
    curl_setopt($curl, CURLOPT_HTTPHEADER, array("Content-Type:  application/json,application/octet-stream"));
    curl_setopt($curl, CURLOPT_SSLCERTTYPE, "P12");
    curl_setopt($curl, CURLOPT_SSLCERT, getcwd() . 'demo_pfx_withPassphrase.p12');
    curl_setopt($curl, CURLOPT_SSLCERTPASSWD, '12345');
    //curl_setopt($curl, CURLOPT_SSLKEYPASSWD, '12345');

    $resp = curl_exec($curl)
    
    if (curl_errno($curl)) {
        $error_msg = curl_error($curl);
        echo 'Curl error: ' . curl_error($curl);
        echo "<br>";
    }
    else{
        echo curl_getinfo($curl);
        echo 'Curl info:  ' . curl_getinfo($curl)[0];
        echo "<br>";
    }

}
catch(Exception $e){
    echo $e;
} 

?>

Im able to successfully establish communication with the server using demo_pfx_withoutPassphrase.p12 (with out passphrase).

However, the same is not possible with the file containing a passphrase, demo_pfx_withPassphrase.p12, despite providing the password in SSLCERTPASSWD option

This is following error is what I get.

-------------------- Error response from the REMOTE SSL SERVER --------------------
58
int(58)
Curl error: could not open PKCS12 file 'demo_pfx_withPassphrase.p12'

How can I establish connection to server using a P12 file containing a passphrase?

Any advice and suggestions will be thoroughly appreciated.

Solution

  • Finally figured out the solution for the P12 (pfx) certificate not able to establish communication with the server using demo_pfx_withPassphrase.p12 (with passphrase)

    The certificate file din't have the read permission

    Provide read permission to the certificate file

    chomod +r demo_pfx_withPassphrase

    This should do it.

    Finally, wrt providing passphrase for the associated P12 file, either provide SSLKEYPASSWD or SSLCERTPASSWS. Either one of these will work fine.

    // --- Authorized Certificate with passphrase

curl_setopt($curl, CURLOPT_SSLCERT, getcwd() . 'demo_pfx_withPassphrase.p12');
curl_setopt($curl, CURLOPT_SSLKEYPASSWD, '12345');   // either sslkeypsswd 
curl_setopt($curl, CURLOPT_SSLCERTPASSWD, '12345'); // or sslcertpasswd