为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Only Firefox does not recognize my SSL client certificate

more options

Hello everyone,

Context I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best

Result On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site.

On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox

What I have done to client certifiat


Creation of authority certificate

I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name

[ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64

[ certauth ] subjectKeyIdentifier

And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

The key client openssl genrsa -out client.key 2048 The CSR file openssl req -config ./openssl.cnf -new -key client.key -out client.req and then the certificat file : openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer

P12 In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

I then integrate my p12 certificate the same way under Pale Moon and Firefox

My question How do I get Firefox to ask me for the client certificate without it ignoring it?

My certificat visible on Firefox attached

Hello everyone, '''Context''' I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best '''Result''' On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site. On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox '''What I have done to client certifiat''' '''Creation of authority certificate''' I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64 [ certauth ] subjectKeyIdentifier And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer '''The key client ''' openssl genrsa -out client.key 2048 '''The CSR file''' openssl req -config ./openssl.cnf -new -key client.key -out client.req '''and then the certificat file : ''' openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer '''P12 ''' In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 I then integrate my p12 certificate the same way under Pale Moon and Firefox '''My question ''' How do I get Firefox to ask me for the client certificate without it ignoring it? My certificat visible on Firefox attached
已附加屏幕截图

所有回复 (2)

more options

Out of curiosity, I just tried with the ESR version of Firefox and bing, it works fine !!!


So my actual Firefox version (102) seems to be too recent for my certificate and key. Firefox seems to have changed some rules, certainly more restrictive.

To make the client certificate compatible with Firefox 102, I have to use other options in the commands when creating my cefs and certificates

more options

This could be it:

Firefox 101+ require the host name to appear in the SAN (Subject Alt Name) extension field. Before this, if it was missing from that field, Firefox would check the common name field. https://www.mozilla.org/firefox/101.0/releasenotes/ ("Changed" section)