ERR_BAD_SSL_CLIENT_AUTH_CERT occurs when a server is configured for mutual TLS (mTLS) authentication and the client certificate presented by the browser is invalid, expired, untrusted, or missing. In standard TLS, only the server presents a certificate. In mutual TLS, the server also requests a certificate from the client to verify the client's identity. This is common in corporate environments, VPN gateways, and zero-trust architectures. The error means either the client did not send a certificate, or the certificate it sent was rejected by the server's validation rules.
Client certificates have validity periods just like server certificates. If the client certificate has passed its expiration date, the server will reject it. Corporate client certificates often expire annually and must be renewed through the organization's PKI.
The server requested a client certificate but the browser does not have one installed, or the user dismissed the certificate selection dialog. The browser may also fail to present the certificate if it is stored in a keychain the browser cannot access.
The server only accepts client certificates signed by specific Certificate Authorities. If the client certificate was signed by a different CA than what the server expects, it will be rejected even if it is otherwise valid.
Check your browser's certificate manager or system keychain to confirm the client certificate exists and has not expired. In Chrome, go to Settings > Privacy and Security > Security > Manage certificates.
If you have the certificate file, inspect its validity dates. Client certificates typically need to be renewed through your organization's IT department or PKI system.
openssl x509 -in client.crt -noout -dates -subject
Use curl with the client certificate and key to test the connection directly. This helps isolate whether the problem is with the certificate itself or the browser's handling of it.
curl -v --cert client.crt --key client.key https://yourdomain.com/
In corporate environments, client certificates are managed centrally. If your certificate is expired or missing, your IT department needs to reissue it through the organization's Certificate Authority.
The browser does not trust the Certificate Authority that signed the server's SSL certificate.
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.
The TLS handshake could not be completed because the client and server failed to negotiate acceptable security parameters.