curl – SSL peer does not support certificates of the type it received – or how I learned that certificates have a purpose

I was trying to authenticate against an Apache webserver with a client certificate when I encountered this:

$ curl -X POST   https://my-server.com/dummy/user   -H 'Cache-Control: no-cache'   -H 'Content-Type: application/json'   -d '{"name_first":"Some", "name_last":"Name"}'   --insecure   -v   -i   --key-type PEM   --cert-type PEM   --cert ./my.cert.pem   --key ./my.key.pem
* About to connect() to my-server.com port 443 (#0)
*   Trying 2xx.xx.xx.xxx...
* Connected to my-server.com (2xx.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
*       subject: CN=my-common-name,OU=IT,O=My Company,L=City,C=Country
*       start date: Jul 10 07:07:55 2018 GMT
*       expire date: Jul 10 07:17:55 2020 GMT
*       common name: my-common-name
*       issuer: CN=My-CA,DC=company,DC=local
* NSS error -12225 (SSL_ERROR_UNSUPPORTED_CERT_ALERT)
* SSL peer does not support certificates of the type it received.
* Closing connection 0
curl: (35) SSL peer does not support certificates of the type it received.

After posting on serverfault as I was fairly helpless at this point, I learned that

$ openssl x509 -in ./my.cert.pem -text -noout

on the client certificate will give me a “key usage” section telling what the certificate may be used for. In my case this was:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

which makes my certificate a server certificate and not a client certificate.

You can find the fully detailed information on serverfault:

curl – SSL peer does not support certificates of the type it received