Issue
I started to "play" with curl and SSL. I'm working with client certificate and I'm using curl to send API request to a server. In the curl command I specify the client certificate, the private key file and the passphrase. Why I need to specify the private key using --key option? Am I sending the file to the server or is just a way to inform curl how to decrypt the received data?
Solution
You are not sending your private key to the server. The key is used so that server can verify that client certificate you are providing, was indeed issued to you and you possess the corresponding private key. It's used to sign a piece of data that was sent by server. Only this signed data is transmitted not the key. Server then uses your certificate (which was signed by CA trusted by server) to decrypt data and confirm you are in a possession of the corresponding private key. (for more on how TLS checks client certificate during TLS handshake see this answer or this shorter one one)
This is similar to how you need to provide, usually PKCS#12 file, to your browser, in order to access web pages that require client certificate authentication. The PCKS#12 is an archive format that contains bundled certificate and private key. curl allows you to use this format in --cert option as well, from man page:
-E, --cert <certificate[:password]>
(TLS) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if using any other engine.
Answered By - bagljas Answer Checked By - David Goodson (WPSolving Volunteer)