How can I use a PEM certificate with password?

Question

I'm having plenty of trouble trying to use a certificate that has a password on ruby. I'm using rest-client, but that's not a requirement.

This is the cURL-equivalent of the call I need to make:

curl -E certificate.pem:PASSWORD -d ident=language -d data="test" "https://theurl" 

I tried many things, but I can't get the password part working. Here's what I have so far:

cert = OpenSSL::X509::Certificate.new(File.read("#{RAILS_ROOT}/certificate.pem"))

reply = RestClient.post("https://theurl", {:ident => 'language', :data => 'test'}, {:ssl_client_cert => cert})

I've tried putting the password everywhere, as :password and :ssl_client_key, I've looked through all documentation I could find but there's nowhere that will accept this password.

This is the error I always get:

SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure

What am I missing?

Answer 1

The way you uses curl with option -E, you are specifying a private key with a certificate.

(from the cURL man page)

-E/--cert

(SSL) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PEM format. If the optional password isn't specified, it will be queried for on the terminal. Note that this option assumes a "certificate" file that is the private key and the private certificate concatenated! See --cert and --key to specify them independently.

So in order to do the samething with RestClient, you can try using the ssl_client_key option. Like:

:ssl_client_key   =>  OpenSSL::PKey::RSA.new(File.read("key.pem"), "passphrase, if any"),