I have local node for Bitcoin, so there is no valid HTTPS/SSL Certificate, to be honest I do not fully understand the mechanism.
My node offers the possibility to download the certificate, so I did. I wanted to import it to brave. Under my certifcatses (“Meine Zertifikate”) i get an error “Der private Schlüssel für dieses Clientzertifikat fehlt oder ist ungültig” so i thought maybe under server. There is no error but nothing happens at all
Your post triggered my curiosity. I do not know anything about this issue so my comments may be way off-based. I was wondering if you tested using Chrome or another Chromium based browser and does it work in those environments? I think that information may clarify if this is a Brave specific issue or not.
I am not understanding the steps. If you go to brave://settings/security and click on Manage certificates, I do not see a “my certificates” tab. Are you trying to import using the “Personal” tab (first tab)? I am using Windows and I have pasted a screenshot of what I see when I click Manage certificates. Does it matter which tab you choose? Could that be the problem? I was also wondering if there could be a formatting error within the file itself that is causing a problem. Is that possible?
Finally, I think it would help someone who does understand the issue if you provided the Brave release and the OS version found at brave://version.
If you have already resolved this issue, please post an update on how the issue was resolved. It may help someone else experiencing the same issue. Thanks!
Thank-you! I will ask and post until hopefully someone who can help you with this issue pops in.
This should not be happening, Can you please post the errors/links? A screenshot may help too. Also, can you go to brave://crashes and see if you have any crash ids listed?
Even though a linked reference above may be using localhost, I think the actions would apply to any environment when determining how and where to import and install the certificate. So, have you tried testing using the suggested actions below?
you should be adding it to ‘Authorities’ tab in Chrome browser. Authorities tab is for Self-Signed certs, whereas ‘Your Certificates’ tab is for identity certs.
For properly importing the .crt and the .key into the nssdb database for Chrome I suggest you convert the client certificate + the private key into a PKCS12 certificate, for example:
Give it any export password you want, but write it down, because you’ll need it later when importing. After this, you can import the file “sample.p12” in the Chrome browser, using the tab ‘Your Cerificates’.
I think what you may be trying to do is add it to the wrong certificate store. If you’re attempting to add it under “Your Certificates”, you’re gonna have a bad time. That tab is for adding identity certificates; what your browser offers to the server to establish the browser’s identity.
What I think you want to do do, based on your description, is you want your browser to trust the self-signed cert that will be on your server end. If that’s the case, you need to add it in your “Authorities” tab.
Chrome expects a file in PKCS12 format file which is used to store the certificate, any intermediate certificate and the private key into single encryptable file. these files usually have the .p12 and .pfx extensions.
So, I am thinking you may need to try importing to an “Authorization” tab and/or modify the import file format?
I looked at the Raspberry Pi documentation online but couldn’t locate anything useful. May be (probably is) my search terms, Do you have any official documentation links that would be helpful?
Finally, have you tried finding any relevant information on the Raspberry Pi Github?
Sorry for the wall of text. We could try to tag some community members who are technical savvy but I do not know if they would be familiar with this particular issue. We could also try tagging some Brave Community Moderators but I am thinking this is a Chromium issue and not a Brave Browser issuer per se. Have you tried searching/posting to Chromium support?
Edit: Corrected messed up text when I moved some things around when composing reply originally.
Also, please verify your Debian(Linux Mint)/Raspberry Pi versions are up to date. Posting the version information will probably help. So, even if your brave://version information has errors and is not displaying your OS version information, you should be able to determine the version numbers from the OS installations themselves.
For example, I use win10 and can find my version displayed in System Information.
I saw that but I have no key file, so I tried it without, not working
I did this a while ago, did not help
I followed your links, nothing helped, just to make it clear. I am runnig a bitcoin full node on my rapberry pi and my computer is a beast. So i am not running a raspberry pi as a computer. Over https I just access the status website of my node.
The screenshot of your brave://version is displaying as expected. The information displayed is basically the status of your Brave set-up.
For example, in my own words and with limited technical vocabulary and knowledge, the command line information displays flags/switches used when you start brave. This Brave Help Center article has more information on command line flags: How Do I Use Command Line Flags in Brave?. The executable path is where the Brave .exe file resides on your computer. Profile path is the path to your user data and variations has programming parameters and the status (enabled/disabled) of various settings when Brave is loaded.
I really thought using an Authorities tab, and specifically the Intermediate Certification Authorities tab, and a different file format (.PFX, .P12) instead of .cert would solve your issue. IMO, Importing certificates is a global function vs an environment specific function. So, you should be able to import a certificate regardless of whether you have Raspberry Pi or are running a bitcoin full node. I think this is a problem with importing the certificate file itself: where it should be imported and how it is formatted and signed, if that makes sense!
Other thoughts:
When you downloaded (exported) the certificate, did it give you any other file format options other than .cert? Is it possible to download from the issuer vs through your node? I’m thinking the issuer may have other file formats and/or keys available.
I would really like to know the solution to this issue! I was really hoping someone more tech savvy or experienced with certificates would pop in. Since that didn’t happen, I will go ahead and tag a couple of community members and moderators for you. May not get a response but can’t hurt to try! Also, you might want to try posting to the Chromium and Linux support forums. You may have better luck there.
TL:DR Brave version 1.46.144; Linux Mint 21.1/Cinnamon 5.6.5; Raspberry Pi, Bitcoin full node access via https; Exported .cert certificate from node; “Private key is missing or invalid when importing a certificate” error when importing certificate file; tried importing at Brave://settings /security -> Manage certificates using My Certificates, Server, and Authorities tabs all with same error; Does not have a separate key file; Unknown if can use or tried to use a different certificate file format
i am familiar with start parameters, but which one would i need?
I know it should not make a diffrence where you run brave, but it can.
Just to make it clear, I run a Linux Mint with Brave on it, I access the bitcoin full node on my raspberry pi. I don’t know if this is of any intrest, the node access runs on an nginx server.
I’m not certain at this point that I fully understand your setup, but if I’m breaking it down correctly, you essentially have a web service on the Raspberry Pi and the client browser (Brave) on your local Linux Mint PC. Is this correct?
If so, then it might simply be that the web service is signing the site with a certificate that your browser doesn’t trust. And it won’t trust it, unless you add the site’s certificate authority’s public key to the list of trusted certs on your client machine.
@donbolli a screenshot of the error page would be very helpful and I don’t think that has been posted yet. Please provide one. Also note that if it’s similar to what you get here: https://self-signed.badssl.com/
If you expand the error before taking the screenshot it will give us more detail to work with.
Also, I understand your desire to not put Chrome on the machine, but there is very likely a Chromium package for Linux Mint; and if so, it would help to see if the behavior is the same there (or with Firefox for that matter).
Can you please provide the other extensions you have tried?
I don’t know either, but my thought is that regardless of whether the installation of various components reside where they are needed or not for access, you should be able to import a certificate. Even if that certificate is inaccessible to other environments you are using because of some set-up or installation issue, if it is a valid certificate, you should be able to import the certificate using Brave’s certificate import tool.
I just provided information on what is displayed a brave://version. AFAIK, you don’t need any flags changed or added for this issue.
@JimB1@donbolli Please clarify for my understanding and then I’ll just bow out.
I understood the error to be generated at Brave://settings /security -> Manage certificates when trying to import the certificate file. But apparently I misunderstood. So, in actuality, the certificate was imported using Manage certificates but when the site is accessed using https://, that is when the error is displayed. Correct?
We were definitely talking at cross purposes if so! Thanks JimB1 for popping in and taking over.
Not at all @Chocoholic , I think you’re right, just want to make sure we’re troubleshooting the right ‘root cause’ problem so to speak.
Also since this appears to be on Linux we might have some differences in how cert importation is handled, we may have to cross that bridge at some point as well.
@donbolli thanks for the screenshots, but in the spirit of seeing the original issue, I am hoping we can confirm the problem leading us down this path. Is it a certificate validation issue similar to the screenshot (from badssl.com) that I posted? Or are you seeing something different that is leading us to this point?
Sure but we already addressed this. Chromium != Chrome. OTOH if you are concerned that it’s ‘close enough’ then presumably one would have the same concern with Brave.
No worries. Thanks for the new screenshots, the first two are from Chromium?
Merry Christmas!
So it certainly does look like a typical certificate mismatch issue; so the efforts above have not been in vain.
However one thing I notice, and let me know if I’m off here, I might be missing something due to the translation – but the certificate presented by the site is for ‘myNode.local’ , whereas the 2nd screenshot shows ‘org-myNode’, is that the site listed as the CN (or a SAN) in the imported certificate?
As I said from the begining, I have no clue about certificates. You are right, they have a different name, but at least I think this is not the problem.
Understood. However there might be multiple issues here – I think you are encountering the first now, and there could be a second one later.
With certificate validation, your browser essentially wants to check these two things (among others, but these are common):
Is the shown certificate issued by an authority (Certificate Authority) whom I trust?
If so, is the shown certificate actually for the site I am visiting? (For example, if paypal.com and mybank.com both get their certs from the same issuer, and you already trust that issuer, it would still be an error for the mybank.com certificate to be shown by paypal.com.)
In your case, if you are being shown a ‘self-signed’ certificate and it is ‘issued’ (created) by an untrusted CA – in this case, probably some process that only exists locally on the web server – then your browser has no reason to trust that CA (issuer), unless you forcibly tell it that it must. The public example here is https://self-signed.badssl.com/ .
On top of that, even if your browser does trust the issuer, if the certificate was created for a hostname that is different from the one you are visiting (mybank.com vs. paypal.com), that will also fail validation. The name of the visited site must be in the ‘CN’ (Common Name) or ‘SAN’ (Subject Alternative Name) fields of the certificate, or match a wildcard (*.paypal.com) if the certificate was created with one. Public example, https://wrong.host.badssl.com/ .
But we can deal with one thing at a time.
In this case your browser is just trying to validate the site’s certificates. The site is not also trying to validate the browser’s certificates (I don’t believe). So, since the client browser is not trying to also prove its own identity (mutual authentication scenario), there is no need for it to import any private keys or private certificates. It only needs to be told to trust the public key of the CA.
