Rejected Client-Certificate in Chrome 61
I was generating the Certificates so:
openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer
I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.
Now i am generating the Certificates so:
openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256
And it works!
if i compare the out of openssl x509 -in test.cer -noout -text
, there is NO difference!! So i am wondering what Chrome does not like of openssl ca
.
mmoossen
Updated on June 04, 2022Comments
-
mmoossen almost 2 years
I have an already long running website secured by self generated client-certificates. It has been working for years without any problems with any browser like IE, Firefox and Chrome.
Since the last Chrome Update (61.0.3163.100) the client certificates are rejected with following error message:
This site can’t provide a secure connection my.domain.com didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT
And the site continues to work fine with any other browser! And i can not find any relevant information out there.
I assume that chrome just raised the minimal requirements for the client certificates, as it did for server certificates a few months ago. but i have no glue how to fix it.
Any hint what is wrong with my certificates?
many thanks
UPDATE 15DEC2017
I still had problems and did not find any answer out there.
After a while i figured out that Chrome does not like the Client Certificates generated by
openssl ca
.I was generating the Certificates so:
openssl ca -config openssl.cnf -extensions client -batch -in test.req -out test.cer
I tried everything but i was not able to make it to work with Chrome, but again, it worked with all other Browsers.
Now i am generating the Certificates so:
openssl x509 -req -in test.req -CA ca.cer -CAkey ca.key -extensions client -extfile openssl.cnf -CAserial ca.srl -out test.cer -sha256
And it works, if i compare the out of
openssl x509 -in test.cer -noout -text
, there is NO difference!! So i am wondering what Chrome does not like ofopenssl ca
.I would prefer to use
openssl ca
overopenssl x509
since i can not use CRLs and i prefer alsostartdate/enddate
overdays
.Any ideas?