Challenges with client TLS using PIV/CAC on Yubikey + Safari

1. Caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I installed, and run Caddy:

I installed it via the official install instructions for Ubuntu package

a. System environment:

Ubuntu 22.04.1 LTS
macOS 13.2 client

d. My complete Caddy config:

# use this import if you want to always require mTLS certs to get in
(mTLS_required) {
    tls {
        client_auth {
        mode require_and_verify
	    trusted_ca_cert_file /etc/caddy/root_ca.crt
} {
   encode gzip
   respond "Hi {tls_client_subject}! I'm {system.hostname}"
   import mTLS_required

3. The problem I’m having:

I’m trying to get the client certificate dialog to appear in Safari during the mTLS handshake with Caddy, when I have a certificate stored in a Yubikey PIV slot.

The config above uses a Web PKI cert for the server, and requires a client cert from my private PKI.

I have a cert and private in Yubikey PIV slot 9a, as suggested by Apple.

The error I get from Safari is that “The certificate for this server is invalid.” My understanding is that it tried looking for client certs and didn’t find one.

Other notes:

  • Firefox handles this scenario just fine and prompts me for the Yubikey’s PIN when I visit the URL.
  • Yubikey PIV certificates can work in Safari with mTLS. Okta’s “Sign in with PIV / CAC Card” button presents the certificate dialog and shows the Yubikey certificate. But I have no idea what’s different about this vs. Caddy’s handshake.
  • The certificate and key are listed when I run sudo security export-smartcard.
  • I’ve tried this with a new macOS account, and that doesn’t change anything.
  • I’ve also tried setting up nginx to do this, and I have the same issue there.

Additional resources

What’s in Caddy’s logs? Make sure to enable the debug global option.

Please don’t delete any parts of the help topic template. It’s necessary for us to be able to properly help you.

I was able to solve this by adding the intermediate CA to the Caddy trusted_ca_cert_file.
I needed this because the intermediate CA isn’t stored on the Yubikey, only the leaf certificate.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.