Only Firefox does not recognize my SSL client certificate
Hello everyone,
Context I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best
Result On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site.
On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox
What I have done to client certifiat
Creation of authority certificate
I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name
[ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64
[ certauth ] subjectKeyIdentifier
And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer
The key client openssl genrsa -out client.key 2048 The CSR file openssl req -config ./openssl.cnf -new -key client.key -out client.req and then the certificat file : openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer
P12 In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
I then integrate my p12 certificate the same way under Pale Moon and Firefox
My question How do I get Firefox to ask me for the client certificate without it ignoring it?
My certificat visible on Firefox attached
Svi odgovori (2)
Out of curiosity, I just tried with the ESR version of Firefox and bing, it works fine !!!
So my actual Firefox version (102) seems to be too recent for my certificate and key. Firefox seems to have changed some rules, certainly more restrictive.
To make the client certificate compatible with Firefox 102, I have to use other options in the commands when creating my cefs and certificates
This could be it:
Firefox 101+ require the host name to appear in the SAN (Subject Alt Name) extension field. Before this, if it was missing from that field, Firefox would check the common name field. https://www.mozilla.org/firefox/101.0/releasenotes/ ("Changed" section)