ErrorNotes

Fixing '400 Bad Request: No required SSL certificate was sent' in mTLS

intermediate🔒 SSL/TLS2026-04-29| Linux (Ubuntu/CentOS), Nginx, Apache, Kubernetes Ingress-Nginx

Error Message

400 Bad Request: No required SSL certificate was sent
#mtls#nginx#client-certificate#authentication#ssl

The Problem

Few things halt a deployment faster than a cryptic mTLS error. You might be setting up a secure API or an internal admin dashboard when your browser suddenly hits a dead end. Instead of your app, you see a stark white page and a single line of text:

400 Bad Request: No required SSL certificate was sent

This error is the server's way of saying it was expecting a digital ID card from you but came up empty-handed. Your server is configured to demand a client-side certificate, but the handshake failed before it even reached your application logic.

Root Cause Analysis

Standard HTTPS is a one-way street: the server proves its identity to you. Mutual TLS (mTLS) turns this into a two-way street. Here, the server configuration—usually Nginx or Apache—is set to ssl_verify_client on;. If your browser, script, or mobile app doesn't present a valid certificate, the server kills the connection immediately.

Most failures stem from a few specific oversights:

  • The client certificate isn't installed in your browser's local store.
  • The certificate expired last night or hasn't reached its 'Not Before' date yet.
  • The server's ca.crt doesn't recognize the authority that signed your client certificate.
  • Automated tools like cURL or Postman aren't pointed to your .crt and .key files.

Step 1: Audit Server-Side Configuration

Start by verifying that Nginx knows which Certificate Authority (CA) to trust. Open your site configuration, typically found at /etc/nginx/sites-available/default:

server {
    listen 443 ssl;
    server_name api.example.com;

    ssl_certificate /etc/nginx/certs/server.crt;
    ssl_certificate_key /etc/nginx/certs/server.key;

    # The mTLS essentials
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    ssl_verify_client on;

    location / {
        proxy_pass http://localhost:3000;
    }
}

Check the ssl_client_certificate path carefully. This file must contain the root CA (and any intermediates) that signed your user certificates. If you updated your CA recently but didn't refresh this file, every request will fail with a 400 error.

Step 2: Test with cURL

Isolate the issue by stripping away the browser. Using curl eliminates caching issues and hidden UI settings. You'll need your client.crt and client.key files ready in your terminal.

curl -v --cert client.crt --key client.key https://api.example.com

A successful 200 OK here means your server is healthy. The problem is likely your browser's certificate import. If this still returns a 400, your certificate likely wasn't signed by the CA defined in your Nginx config. Verify the issuer quickly:

openssl x509 -in client.crt -text -noout | grep Issuer

The output should match the Common Name (CN) of the certificate located at your server's ssl_client_certificate path.

Step 3: Preparing Certificates for Browsers

Browsers like Chrome and Safari won't accept raw .crt and .key pairs. You need to package them into a single PKCS#12 bundle (a .p12 or .pfx file) so the OS can handle them securely.

Run this command to create your bundle:

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt

You will be prompted for an export password. Choose a strong one; this password protects your private key while it sits in your Downloads folder.

Pro Tip: When generating passwords for these bundles, I use the Password Generator on ToolCraft. It runs entirely in your local browser context, ensuring your security assets stay private.

With your client.p12 ready, follow these steps:

  • Navigate to Chrome Settings -> Privacy and Security -> Security.
  • Click "Manage certificates" (this may open your OS Keychain or Certificate Manager).
  • Import the client.p12 file and provide your export password.
  • Restart the browser completely. When you visit the site, a popup should ask you to select the new certificate.

Step 4: Fixing Intermediate CA Gaps

Sometimes the root CA isn't the direct signer. If an intermediate CA issued your certificate, Nginx needs the entire verification chain. Providing only the root CA causes the handshake to fail because the server can't "bridge" the trust gap.

Merge your intermediate and root certificates into a single bundle:

cat intermediate.crt root.crt > full_ca_chain.crt

Update your Nginx config to point ssl_client_certificate to this full_ca_chain.crt file and reload the service.

Verification and Monitoring

Watch your logs in real-time to confirm the fix. A successful mTLS handshake looks different in the access logs than a standard one.

tail -f /var/log/nginx/error.log /var/log/nginx/access.log

For deeper debugging, add $ssl_client_verify to your Nginx log format. It will explicitly log "SUCCESS", "NONE", or "FAILED:subject-mismatch," telling you exactly why a handshake died.

Prevention

Avoid 3:00 AM outages with these practices:

  • Automate Lifecycle: Use cert-manager in Kubernetes or HashiCorp Vault to rotate certificates before they expire.
  • Expiry Alerts: Set up monitoring to ping you 30, 15, and 7 days before a CA or client cert expires.
  • Onboarding Docs: Create a simple internal guide for team members. Browser certificate UIs are notoriously clunky and often require a full restart to pick up new changes.

Related Error Notes

Fix OpenSSL error:06065064: EVP_DecryptFinal_ex:bad decrypt on Private Keys

error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

Fixing NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: Moving Beyond SHA-1

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Fixing ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome: A TLS 1.3 Guide

ERR_SSL_KEY_USAGE_INCOMPATIBLE