cURL / Mailing Lists / curl-users / Single Mail


Re: How to use .pfx in certificate store in CURL via SSL from Windows 7

From: Von Hawkins via curl-users <>
Date: Thu, 5 Mar 2015 17:55:16 +0000 (UTC)

cURL (most modern versions) expects the private key to be in an NSS cert store, much like what Firefox uses.
For most client programs trying to use private keys stored in CAPI/CNG or any other secure trust store, you have to provide some way to map from the public key to the private key.
In theory, cURL could call the the key vi the SQL-Lite NSS db, which could be mapped to CAPI as a PKCS#11 provider.
It's been a while, and I normally work with the older pre-sqllite versions.  Also, I can't run sample commands where I am so there are certainly some errors in the steps below.
First you need to create an NSS certificate db.  For this you'll need a windows build of the NSS Tools
#create a cert9.db, key4.db and <secmod.db or pkcs11.txt>
certutil -N -d sql:<directory>
#associate the secmod.db with something that can read certs from CAPI#below example assume using ActivClient for smartcards.
modutil -dbdir sql:<path\to\directory> -add ActivClient -libfile "C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll" 
#list to see the module addedmodutil -dbdir sql:<path\to\directory> -list  {or -rawlist}
#If you don't have a something like ActivClient, then you'll likely need the nsscapi.dll.  I've never compiled or used it, but it should give you access to CAPI certs.#I'm may be skipping a couple steps here, but if everything worked well to this point, you should be able to see your certificates
#list just the public certs<path\to\NSScertutil>\certutil -d <path\to\cert9.db_don't_name_cert9.db> -L #list the private keys<path\to\NSScertutil>\certutil -d <path\to\cert9.db_don't_name_cert9.db> -K

Once the cert store is created and linked, you should be able to call the certs/keys from cURL using the syntax in the man pages/documentation 
      From: Brendan White <>
 To: "" <>
 Sent: Wednesday, March 4, 2015 5:01 PM
 Subject: How to use .pfx in certificate store in CURL via SSL from Windows 7

I want to use cURL to access a remote server, and I need to identify myself using a private key, otherwise the remote server gives a 401 "Unauthorized".

I'm on Windows 7 (work machine, not my choice) and my private key is installed on my computer. I'm not permitted to access it directly, but I'm confident it's installed in the certificate store correctly. So I want to specify the *public* key in the cURL command, and let the operating system work out which private key to use.

I've given the public key to the remote server, and they've accepted it and installed it.

So I'm doing this:

    curl --verbose --cert "my-public-cert.pem"

...but it's not working, I'm getting a 58 error:

    *  Trying
    * Connected to ( port 443 (#0)
    * unable to use client certificate (no key found or wrong pass phrase?)
    * Closing connection 0
    curl: (58) unable to use client certificate (no key found or wrong pass phrase?)

Am I doing something wrong? Is there a way to send a cURL request over SSL, if I can't access the private key directly but the operating system has the private key installed? Or is this just impossible?

Many thanks,

PS - Full disclosure - I posted this question to SuperUser ( a couple of days ago, but have not received any answers.

Brendan White 
Business Analyst
Student Systems, Flinders University 
ph +618 8201 5967, fax +618 8201 2580, web
CRICOS Registered Provider: The Flinders University of South Australia 
CRICOS Provider Number: 00114A 
This email and any attachments may be confidential. If you are not the intended recipient, please inform the sender by reply email and delete all copies of this message.
List admin:

List admin:
Received on 2015-03-05