Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Only Firefox does not recognize my SSL client certificate

more options

Hello everyone,

Context I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best

Result On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site.

On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox

What I have done to client certifiat


Creation of authority certificate

I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name

[ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64

[ certauth ] subjectKeyIdentifier

And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

The key client openssl genrsa -out client.key 2048 The CSR file openssl req -config ./openssl.cnf -new -key client.key -out client.req and then the certificat file : openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer

P12 In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

I then integrate my p12 certificate the same way under Pale Moon and Firefox

My question How do I get Firefox to ask me for the client certificate without it ignoring it?

My certificat visible on Firefox attached

Hello everyone, '''Context''' I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best '''Result''' On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site. On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox '''What I have done to client certifiat''' '''Creation of authority certificate''' I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64 [ certauth ] subjectKeyIdentifier And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer '''The key client ''' openssl genrsa -out client.key 2048 '''The CSR file''' openssl req -config ./openssl.cnf -new -key client.key -out client.req '''and then the certificat file : ''' openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer '''P12 ''' In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 I then integrate my p12 certificate the same way under Pale Moon and Firefox '''My question ''' How do I get Firefox to ask me for the client certificate without it ignoring it? My certificat visible on Firefox attached
Captures d’écran jointes

Toutes les réponses (2)

more options

Out of curiosity, I just tried with the ESR version of Firefox and bing, it works fine !!!


So my actual Firefox version (102) seems to be too recent for my certificate and key. Firefox seems to have changed some rules, certainly more restrictive.

To make the client certificate compatible with Firefox 102, I have to use other options in the commands when creating my cefs and certificates

more options

This could be it:

Firefox 101+ require the host name to appear in the SAN (Subject Alt Name) extension field. Before this, if it was missing from that field, Firefox would check the common name field. https://www.mozilla.org/firefox/101.0/releasenotes/ ("Changed" section)