Uanable to use client TLS certificate: error ssl client auth signature failed

gsep dot daimler dot com requires to authenticate with a users client certificate
I don’t know, whether you have tested client certificates on any web site yet?

  1. Client certificate has been imported into login key chain an Mac OS. Unfortunately the delivered PKCS12 file misses the issuing CA, wich is a customer CA and no official root CA.
    Certificate Data:
    Version: 3 (0x2)
    Serial Number: 9065421335634063981 (0x7dced8ac91b7326d)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = DE, O = Daimler AG, CN = Daimler-AG-ALM-GSEP
    Validity
    Not Before: Mar 4 21:12:24 2020 GMT
    Not After : Mar 4 21:22:24 2022 GMT
    Subject: C = DE, O = Daimler AG, CN = Daimler-AG-ALM-GSEP_23911
  2. Regardless of whether I leave the certificate untrusted by “System Default” or whether I trust it manually within key chain, I always get the same result. And I cannot import the issuer CA, because I simply don’t have it.
  3. Access gsep dot daimler dot com
  4. Choose the named client certificate
  5. ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

Expected result:

  1. Client certificate is presented to the server and TLS handshake is finished successfully as in e. g. Firefox, Safari, but not Google Chrome, which gives the same error.

Brave Version: 1.22.67 Chromium: 89.0.4389.90 (Official Build) (x86_64)

Additional Information:

  1. Shields are down for this site (individually).
  2. I get no error messages in the developer tools console.
  3. I get no response back from the web site no headers or HTTP error codes.
  4. The server does have valid TLS server certificates issued by Quovadis Root CA.
  5. openssl s_client output:

openssl s_client -connect gsep.daimler.com:443 -cert Daimler-AG-ALM-GSEP_23911.pem -verify +2
verify depth is 2
CONNECTED(00000005)
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
verify return:1
depth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
verify return:1
depth=0 C = DE, ST = Baden-W\C3\BCrttemberg, L = Stuttgart, O = Daimler AG, CN = gsep.daimler.com
verify return:1

Certificate chain
0 s:C = DE, ST = Baden-W\C3\BCrttemberg, L = Stuttgart, O = Daimler AG, CN = gsep.daimler.com
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
2 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 G3
Server certificate
-----BEGIN CERTIFICATE-----
MIIG/TCCBOWgAwIBAgIUZIf53c0VrDnjIdvXnYqmcjb91j8wDQYJKoZIhvcNAQEL

-----END CERTIFICATE-----
subject=C = DE, ST = Baden-W\C3\BCrttemberg, L = Stuttgart, O = Daimler AG, CN = gsep.daimler.com
issuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3

Acceptable client certificate CA names
C = DE, O = Daimler AG, CN = Daimler-AG-ALM-GSEP
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5508 bytes and written 1699 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D208D422264D4807BAD0A2D68C95F38E1283A9827137EDA6BAA62D5B5E25409F
Session-ID-ctx:
Master-Key: 8745EE0829A64E4A45CD00D7C48EABB823F3DBCA4E407965EF6F55B8CD8C0BDA4F7D287A0D18B4D7AED0381F0094CF64
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1617017119
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

P.S. New user, may only put 4 links in a post, even though it was always the same…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.