I host a website that uses mTLS for authentication. I created a client cert and installed it in Firefox on Linux, and when I visit the site for the first time, Firefox asks me to choose my cert and then I’m able to visit the site (and every subsequent visit to the site is successful without having to select the cert each time). This is all good.

But when I install that client cert into GrapheneOS (settings -> encryption & credentials -> install a certificate -> vpn & app user certificate), no browser app seems to recognize that it exists at all. Visiting the website from Vanadium, Fennec, or Mull browsers all return “ERR_BAD_SSL_CLIENT_AUTH_CERT” errors.

Does anyone have experience successfully using an mTLS cert in GrapheneOS?

[SOLVED] Thanks for the solution, @Evkob@lemmy.ca

  • Evkob@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    3 months ago

    I’m pretty sure you need to install it using “CA certificate” rather than the “VPN and app user certificate” option.

    • Mike WooskeyOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Thanks for the reply, @Evkob@lemmy.ca.

      I tried to install my client cert in “CA Certificate” but the certificate manager app in GrapheneOS said that it was the wrong kind of cert to be used in “CA Certificate”. It is, after all, a client cert, not a CA cert.

      :(

      • Evkob@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        After some searching, maybe following the instructions on this blog post would work?

        I’m by no means an expert though, so take my suggestions with a grain of salt.

        • one_knight_scripting@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          3 months ago

          I’m by no means an expert though, so take my suggestions with a grain of salt.

          Good on you for trying to help though, seriously. And OP I wanna hear if you’re able to get it squared away.

        • Mike WooskeyOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          Thanks for your research and the suggestion, @Evkob@lemmy.ca.

          I wasn’t able to make that work, but I don’t think it was trying to solve the problem I’m having, anyway. That procedure was to add self signed SSL certificate to Android, but my certificate is neither self-signed nor an SSL cert. At least I think not - I find certs very confusing. The cert I’m trying to work with is an mTLS cert, a client cert. It’s not used to establish a secure SSL connections, it’s used to verify that I (the person with the cert) and authorized to use the app.

          Additionally, I’m able to successfully install the cert into Android, but the problem is that it seems to be ignored. The mTLS cert is installed in GrapheneOS’s “VPN & App User Certificate” section, and my CA cert is installed in the “CA Certificate” section. Vanadium, Fennec, and Mull browsers just aren’t using them. :(

          • Evkob@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 months ago

            Like I said, not an expert haha (thanks for explaining what mTLS is because I had assumed I knew but truly didn’t)

            That being said, I found a reddit thread detailing what seems to be the same issue as you, with OP linking a Stack Exchange post with their solution.

            • Mike WooskeyOP
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              3 months ago

              [SOLVED!] That Stack Exchange post was the solution! I had to ask ChatGPT for assistance (e.g., “how do I view the contents of a .crt and a .p12?”, “how do I add a CA to a client cert?”), but it worked. Thanks for your help, @Evkob@lemmy.ca.

              I don’t think I would have ever thought that my client cert didn’t contain the CA, especially because when I clicked on the client cert that was installed in GrapheneOS, it showed me a summary that said it did contain a CA! grrrr

              (tagging @one_knight_scripting@lemmy.world as he wanted to know the solution)

            • Mike WooskeyOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              Wow! That sounds exactly like my issue. I’ll try the workaround tomorrow. Thanks, @evkob@lemmy.ca.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    3 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CA (SSL) Certificate Authority
    SSL Secure Sockets Layer, for transparent encryption
    VPN Virtual Private Network

    3 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

    [Thread #952 for this sub, first seen 5th Sep 2024, 21:45] [FAQ] [Full list] [Contact] [Source code]