We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Only Firefox does not recognize my SSL client certificate

more options

Hello everyone,

Context I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best

Result On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site.

On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox

What I have done to client certifiat


Creation of authority certificate

I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name

[ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64

[ certauth ] subjectKeyIdentifier

And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

The key client openssl genrsa -out client.key 2048 The CSR file openssl req -config ./openssl.cnf -new -key client.key -out client.req and then the certificat file : openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer

P12 In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

I then integrate my p12 certificate the same way under Pale Moon and Firefox

My question How do I get Firefox to ask me for the client certificate without it ignoring it?

My certificat visible on Firefox attached

Hello everyone, '''Context''' I have a website on my raspberry for my photos. I have created a client and server ssl certificate to secure the best '''Result''' On my brower "Pale Moon" (firefox fork), it works fine. When I go to my site, I am asked to validate the ssl client certificate before entering the site. On Firefox, I immediatelly get the message : 400 Bad Request No reuqired SSL certificate was sent. I don't get any error code specific to Firefox '''What I have done to client certifiat''' '''Creation of authority certificate''' I put in the file openssl.cnf : [ req ] default_md = sha1 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country countryName_default = FR countryName_min = 2 countryName_max = 2 localityName = Locality localityName_default = France organizationName = Organization organizationName_default = Raspberry commonName = Common Name commonName_max = 64 [ certauth ] subjectKeyIdentifier And I execute the following command : openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer '''The key client ''' openssl genrsa -out client.key 2048 '''The CSR file''' openssl req -config ./openssl.cnf -new -key client.key -out client.req '''and then the certificat file : ''' openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 3650 -outform PEM -out client.cer '''P12 ''' In order to integrate my certificate in my browser, I convert to p12 format file openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 I then integrate my p12 certificate the same way under Pale Moon and Firefox '''My question ''' How do I get Firefox to ask me for the client certificate without it ignoring it? My certificat visible on Firefox attached
Attached screenshots

All Replies (2)

more options

Out of curiosity, I just tried with the ESR version of Firefox and bing, it works fine !!!


So my actual Firefox version (102) seems to be too recent for my certificate and key. Firefox seems to have changed some rules, certainly more restrictive.

To make the client certificate compatible with Firefox 102, I have to use other options in the commands when creating my cefs and certificates

more options

This could be it:

Firefox 101+ require the host name to appear in the SAN (Subject Alt Name) extension field. Before this, if it was missing from that field, Firefox would check the common name field. https://www.mozilla.org/firefox/101.0/releasenotes/ ("Changed" section)