ssl – Firefox does not offer client certificate: SSL_ERROR_HANDSHAKE_FAILURE_ALERT


A CA certificate expired and was regenerated with the same private key.
The existing client certificates work with Chrome, but fail with Firefox:

An error occurred during a connection to example.com. SSL peer was
unable to negotiate an acceptable set of security parameters.

Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

Firefox does not prompt for the client certificate, and does not send it – suspecting that something does not match the client certificate selection process.

How could this be debugged on Firefox side?
How does Firefox decide when to ask for / offer the client certificate?

What has been verified

  • Fails both on Firefox 78 on Mac and Firefox 77 on Linux; the same client certificate that worked with the previous CA certificate is present in both Firefox instances.
  • On Mac where the same client certificate works in Chrome (and thus is present in Keychain), enabling security.osclientcerts.autoload in Firefox does not help.
  • “Acceptable client certificate CA names” match between the old and new CA certificate.
  • “Client Certificate Types” for the new certificate are “RSA sign, DSA sign, ECDSA sign”. For the old they are “RSA fixed DH, DSS fixed DH, RSA sign, DSA sign”. This seems to be acceptable.