Feedback: Certificate Authentication (mTLS) dialog doesn’t show enough information to correct select certificate

Created On
Last Updated On
byTimothy Perfitt
You are here:

Feedback: Certificate Authentication (mTLS) dialog doesn’t show enough information to correct select certificate

Basic Information

Please provide a descriptive title for your feedback:

Certificate Authentication (mTLS) dialog doesn’t show enough information to correct select certificate

Which area are you seeing an issue with?

Safari

What type of feedback are you reporting?

Incorrect/Unexpected Behavior

Details

What does the Safari issue you are seeing involve?

Something else not on this list

Please provide a URL and screenshot if possible to help us investigate the issue:

See attached screenshots

What extensions or content blockers do you have enabled? Examples: AdBlock, 1 Blocker

n/a

Were you able to capture a screen recording of the issue occurring? If so, please attach it to this feedback report.

Yes

Do you have Private Relay enabled?

No

What time was it when this last occurred?

n/a

Description

Please describe the issue and what steps we can take to reproduce it:

We use a CryptoTokenKit extension to insert certificates for mTLS in Safari. The certificates are from US Govt issued smart cards, and the common name in the certificates can be the same or the first part of the common name may be the same. Safari presents a dialog to select a certificate but it doesn’t order them in the same order each time, only provides the first part of the CN, and only shows the CN and not other information about the certificates. This cause problems with authenticating with mTLS because the user has to guess which certificate might work, and if they select the wrong one, safari may not present the dialog again if the authentication succeeds but the certificate is not authorized for that website.

In macOS, you are able to see the entire certificate when prompted, which helps to decided which certificate to select. Also, there should be the ability to see the entire CN and not just the first part of the common name.

I have attached screen shots of the dialog that appears and the certificates that were inserted into the keychain by our CTK extension.

Files

IMG_1620.PNG

1-Test Cardholder.cer

IMG_1621.PNG

4-(null).cer

2-(null).cer

3-(null).cer

Tags: