PHP + cURL Request to Server - Requires Certificate/NSSDB

Our system needs to make a cURL call from PHP to a third party serv开发者_StackOverflower. The third party server requires us to include a certificate with the request for authentication. Currently our requests are returning:

HTTP ERROR: cURL ERROR: 0: NSS: client certificate not found or NSS: client certificate not found (nickname not specified)

Server is standard Fedora 15 LAMP stack.

I found the below at http://www.linuxquestions.org/questions/programming-9/stuck-with-php-curl-and-ssl-certificates-322684/ which looks like it will suit your needs, specifically CURLOPT_SSLCERT, CURLOPT_SSLCERTPASSWD, CURLOPT_SSLKEYTYPE, CURLOPT_SSLKEY

    $url            =       "https://www.bla.com/foo"; // onramp url 

    $clientcert    =       $diagno_libdir."/exported-with-private-key.pem"; 
    $keyfile        =       $diagno_libdir."/clientkey.key"; 
    $challenge      =       "nightmare"; 

    print "<bR><BR>$challenge<br><br>"; 
    print "<bR><BR>$keyfile<br><br>"; 

    $header = Array(); 
    $header[] = "Content-Type: multipart/related \r\n"; 
    $header[] = "type=text/xml \r\n"; 
    $header[] = "boundary=--someBoundaryValue-- \r\n"; 
    $header[] = "start=ebXML_Message_Header \r\n"; 
    $header[] = $iptest; 

    $ch = curl_init(); 

    curl_setopt($ch, CURLOPT_URL, $url); 
    curl_setopt($ch, CURLOPT_HEADER, 1); 
    curl_setopt($ch, CURLOPT_VERBOSE, 1); 
    curl_setopt($ch, CURLOPT_POST, 1); 
    curl_setopt($ch, CURLOPT_HTTPHEADER, $header); 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); 
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 
    curl_setopt($ch, CURLOPT_FAILONERROR, 1); 
    curl_setopt($ch, CURLOPT_SSLCERT, $clientcert); 
    curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $challenge); 
    curl_setopt($ch, CURLOPT_SSLKEYTYPE, 'PEM'); 
    curl_setopt($ch, CURLOPT_SSLKEY, $keyfile); 

    $ret = curl_exec($ch);  

I realize this question was asked a year+ ago, but since I found it because I ran into (I think) the same issue today:

My issue was that the certificate I was trying to use was signed by a Certificate Authority (CA) that wasn't on the list of CA's accepted by the server. This was verified using openssl.

1. openssl s_client -connect host:443 -showcerts | more (which lists the accepted CA certs)
2. openssl x509 -in mycert.crt -noout -text | more (which shows who signed my cert...)

If the CA from 2. isn't in the list found in 1., then you're not going to be able to complete the SSL authentication.