Om de ûnderfining foar jo te ferbetterjen is tydlik de funksjonaliteit dan dizze website troch ûnderhâldswurk beheind. Wannear in artikel jo probleem net oplost en jo in fraach stelle wolle, kin ús stipemienskip jo helpe yn @FirefoxSupport op Twitter en /r/firefox op Reddit.

Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

Only Firefox does not recognize my SSL client certificate

more options

Hello everyone,

Context I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best

Result On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site.

On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox

What I have done to client certifiat


Creation of authority certificate

I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name

[ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64

[ certauth ] subjectKeyIdentifier

And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

The key client openssl genrsa -out client.key 2048 The CSR file openssl req -config ./openssl.cnf -new -key client.key -out client.req and then the certificat file : openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer

P12 In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

I then integrate my p12 certificate the same way under Pale Moon and Firefox

My question How do I get Firefox to ask me for the client certificate without it ignoring it?

My certificat visible on Firefox attached

Hello everyone, '''Context''' I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best '''Result''' On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site. On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox '''What I have done to client certifiat''' '''Creation of authority certificate''' I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64 [ certauth ] subjectKeyIdentifier And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer '''The key client ''' openssl genrsa -out client.key 2048 '''The CSR file''' openssl req -config ./openssl.cnf -new -key client.key -out client.req '''and then the certificat file : ''' openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer '''P12 ''' In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 I then integrate my p12 certificate the same way under Pale Moon and Firefox '''My question ''' How do I get Firefox to ask me for the client certificate without it ignoring it? My certificat visible on Firefox attached
Keppele skermôfbyldingen

Alle antwurden (2)

more options

Out of curiosity, I just tried with the ESR version of Firefox and bing, it works fine !!!


So my actual Firefox version (102) seems to be too recent for my certificate and key. Firefox seems to have changed some rules, certainly more restrictive.

To make the client certificate compatible with Firefox 102, I have to use other options in the commands when creating my cefs and certificates

more options

This could be it:

Firefox 101+ require the host name to appear in the SAN (Subject Alt Name) extension field. Before this, if it was missing from that field, Firefox would check the common name field. https://www.mozilla.org/firefox/101.0/releasenotes/ ("Changed" section)