The access_denied alert (TLS alert code 49) is sent when a valid certificate was received, but access control policies prevent the connection from proceeding. This goes beyond certificate validation — the certificate might be perfectly valid and trusted, but the peer has authorization rules that reject the specific certificate holder. This alert is common in mutual TLS environments where servers maintain allowlists of authorized client certificates, or where certificate-based access control restricts connections to specific organizational units, serial numbers, or certificate subjects.
The server validates client certificates against an allowlist (by subject, serial number, or fingerprint). The client's certificate is valid but not authorized to access this particular server or resource.
The server has policies that restrict access based on certificate attributes — such as Organizational Unit (OU), country, or certificate serial number ranges. The client's certificate does not meet these criteria.
Some TLS servers restrict access not just by certificate but also by source IP or network. Even with a valid client certificate, connections from unauthorized networks are rejected with access_denied.
Examine the client certificate's subject and issuer to determine if it matches what the server expects. Compare against the server's access control documentation.
openssl x509 -in client.crt -noout -subject -issuer -serial
Check the server's TLS configuration for client certificate restrictions. In Nginx, look at ssl_client_certificate and ssl_verify_client directives. In Apache, check SSLCADNRequestFile.
Contact the server administrator to confirm your client certificate is registered in their access control system. Provide the certificate fingerprint for verification.
openssl x509 -in client.crt -noout -fingerprint -sha256
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.
The server requires a client certificate for mutual TLS authentication, but the client's certificate was rejected.