Client certificate issue with yubikey

ddribeiro · January 31, 2025, 10:25am

What is the name of the domain?

subdomain.example.com

What is the error number?

ssl_error_handshake_failed

What is the error message?

ssl_error_handshake_failed

What is the issue you’re encountering

When trying to use a cloudflare issued client certificate loaded onto a yubikey PIV, I always get a ssl_error_handshake_failed

What steps have you taken to resolve the issue?

I have mTLS client certificates protecting a number of subdomains.
This functionality is working without any issue.

I tried importing the client certificate into a yubikey, and even tried issuing a new one and importing it into the yubikey.
I can see the certificate in the 9a slot in the yubikey, and I can get it read in Firefox without issues, with the same prompt as I would for the browser loaded certificates.

However, whenever I use the client certificate from the yubikey, I always get a ssl_error_handshake_failed error. This happens on both Windows and Linux machines.

I am just wondering if there is something I am missing?

What is the current SSL/TLS setting?

Full (strict)

ddribeiro · January 31, 2025, 10:28am

I can’t edit the above but here’s the command line showing the cert is loaded correctly in the yubikey:

❯ ykman piv keys info 9a
Key slot:               9A (AUTHENTICATION)
Algorithm:              RSA2048
Origin:                 IMPORTED
PIN required for use:   ONCE
Touch required for use: NEVER

~ 



❯ ykman piv info
PIV version:              5.4.3
PIN tries remaining:      3/3
PUK tries remaining:      3/3
Management key algorithm: TDES
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb341088f8ad9837bed9b56159b958dbcf962c350832303330303130313e00fe00
CCC:   No data available
Slot 9A (AUTHENTICATION):
  Private key type: RSA2048
  Public key type:  RSA2048
  Subject DN:       CN=Cloudflare,C=US
  Issuer DN:        CN=Managed CA 6615e2909e5d55b3a38d75a1c1a0421e,OU=www.cloudflare.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US
  Serial:           7b:4b:b9:a5:73:0b:4a:d4:86:2d:cd:b8:44:15:c9:ef:8e:58:13:49
  Fingerprint:      3242962ceacb0b11777983cf88d989c3122e14cf0ca05662192881edbd4189ab
  Not before:       2025-01-31T09:22:00+00:00
  Not after:        2035-01-29T09:22:00+00:00

system · February 15, 2025, 10:29am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error 525 SSL handshake failed Trouble Access	22	3725	January 2, 2020
Ssl error subdomain Security dns , dash-ssl-tls	42	8705	June 5, 2019
Error ssl handshake failed 525 Getting Started	15	2790	November 10, 2022
SSL Handshake failed - But no changes were made? Security	2	26	September 7, 2024
Frequent SSL Handshake Failed Errors on My Website (thevnapk.com) General	2	36	July 25, 2024