I host a website that uses mTLS for authentication. I created a client cert and installed it in Firefox on Linux, and when I visit the site for the first time, Firefox asks me to choose my cert and then I’m able to visit the site (and every subsequent visit to the site is successful without having to select the cert each time). This is all good.

But when I install that client cert into GrapheneOS (settings -> encryption & credentials -> install a certificate -> vpn & app user certificate), no browser app seems to recognize that it exists at all. Visiting the website from Vanadium, Fennec, or Mull browsers all return “ERR_BAD_SSL_CLIENT_AUTH_CERT” errors.

Does anyone have experience successfully using an mTLS cert in GrapheneOS?

[SOLVED] Thanks for the solution, @Evkob@lemmy.ca

  • Evkob@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    Like I said, not an expert haha (thanks for explaining what mTLS is because I had assumed I knew but truly didn’t)

    That being said, I found a reddit thread detailing what seems to be the same issue as you, with OP linking a Stack Exchange post with their solution.

    • Mike WooskeyOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      [SOLVED!] That Stack Exchange post was the solution! I had to ask ChatGPT for assistance (e.g., “how do I view the contents of a .crt and a .p12?”, “how do I add a CA to a client cert?”), but it worked. Thanks for your help, @Evkob@lemmy.ca.

      I don’t think I would have ever thought that my client cert didn’t contain the CA, especially because when I clicked on the client cert that was installed in GrapheneOS, it showed me a summary that said it did contain a CA! grrrr

      (tagging @one_knight_scripting@lemmy.world as he wanted to know the solution)

    • Mike WooskeyOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Wow! That sounds exactly like my issue. I’ll try the workaround tomorrow. Thanks, @evkob@lemmy.ca.