Client PKI Authentication

I am trying to authenticate user’s PKI by a CA that signed the client certificate. I am able to get the certificate picker in the browser to show the relevant certs and works correctly. But When I select a cert In the browser I get the following error.

I am follwing the staticMTLS guide here Client mTLS

    "error": "Certificate with SHA256 d6da30c260618b4ccabd391ed6518f444628fe0835097eade3ef54947f1745fb not allowed"

In NGINX my .conf would look like this to accomplish PKI Authentication.

server {
    listen 443 ssl;

    ssl_protocols TLSv1.1 TLSv1.2;
    # letsencrypt certificate
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    # client certificate
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
    ssl_verify_client optional;

   location / {

Very Similar to this Accept mutualTLS for clients with cert signed by specific CA - #3 by Niels_Bouten

Any help would be greatly appreciated thank you!


Welcome to community. We appreciate taking the time to search and link a related issue. We hope to get you an update on this soon.

1 Like

Thank you! I appreciate the quick response.