User certificates ignored by Brave, Home Assistant etc

Hiya!

I’m trying to install a user certificate (aka: client certificate) to authenticate against my wiki and a Home Assistant instance using their companion app. Both works fine on my Mac, but it doesn’t work at all on /e/ 2.4.1-t-20241009439851-official-FP4.

It took me a while to figure out that the P12 certificates have to be converted to -legacy in order to successfully import them as “VPN or app” certificate to begin with. But even so, I can’t access the wiki which requires this certificate to be presented. (When I lift this requirement, the wiki loads, so transport security is not the cause.)

Also, some people have updated the webview to fix similar issues. I’ve tried this with both beta and canary to no avail.

And I’ve read somewhere that on Android 13 up, apps have to opt-in to the use of imported certificates. The Home Assistant companion app should ask for a user certificate if it is requested, this feature has been added a while ago according to the changelog. Brave should do the same and just to be sure, I even installed Chrome for a test, but it doesn’t use the user certificate neither.

The biometric lock is is active, so that as well should not be a blocker.

Are there any other prerequisites which have to be met? Or features available through the developer options which must not be active?

Thanks for your help!

wrong type, choose wifi - then it will be used for mutual tls, see Add & remove certificates - Pixel Phone Help (via official docs)

  • Tap Security & privacy And then|autox18 More security settings and then Encryption & credentials.
  • Tap Install a certificate And then|autox18 Wi-Fi certificate.

I’ve tried it as wi-fi cert, but unfortunately this changes nothing the cert is still not presented. (Yes, I have cleared caches, restarted the phone etc to no avail.)

you access this through a browser or the HA app only? I had success with user CAs in the past but had to flip some option flags, see Since the last Update 21062021 the own ca-certificates are not trusted anymore - #10 by tcecyk (context wasn’t mTLS but user CAs though)

Not sure if the users at User CA certificate not working for home assistant - #5 by Ulf tried the option flips

I’ve tried both and both produce a “400 bad request - no required ssl certificate was sent”. The Nginx debug log reads the same, no acceptable user certificate was presented.

Thanks for the hint on Firefox though, the secret setting to use external CA stores is really cool. With this set, I can connect to a server of mine which uses CAcert for transport security in Firefox.

1 Like

Wouldn’t a website request a cert of this type:

  • Enhanced key usage. (Optional) The purposes for which this certificate can be used.

with usage set to: E-mail Protection, Client Authentication, EFS Encryption

When you go there and then open “User credentials” is your cert there?

Where do you see this? I can only choose between CA, vpn/app cert and wi-fi cert.

Yes, 100%.

@make-nz Ping! Where do you see “enhanced key usage”? I can’t find anything like it in my settings.

This has to come from your CA
In simple terms CA sets clear purpose, what the cert is for and the web site checks if your cert has it set.

Have a look on a destop PC maybe

grafik

I see, that’s not the problem here: