Can't import two p12/pfx client certificates into Chrome or Firefox

Question

I have a website I want to use client authentication certificates with. This is just a personal website for myself and a handful of family/friends, so I created a CA to sign some certificates that I can distribute to them so they can sign on without a password.

The problem is, I created two client certificates in p12 format, but I can't load both into Chrome OR firefox. But I CAN load each individually, but I get 'unknown errors' when I try to load the second.

So if I load my cert first into chrome or firefox, it loads fine. Then If I add my wife's, I get an error. If I delete mine and add only my wife's cert, it adds fine. But then when I try to import my cert, it gives an error.

This is how I created everything.

#1 Make CA and Cert
openssl genrsa -aes256 -out projects_ca.key 4096
openssl req -new -x509 -days 365 -key projects_ca.key -out projects_ca.crt

#2 Make Server Key 
openssl genrsa -aes256 -out projects_server.key 4096
openssl req -new -key projects_server.key -out projects_server.csr

#3 Self Sign Server Key
openssl x509 -req -days 365 -in projects_server.csr -CA projects_ca.crt -CAkey projects_ca.key -set_serial 001 -out projects_server.crt

#4 Make Client Key
openssl genrsa -aes256 -out husband_client.key 4096
openssl req -new -key husband_client.key -out husband_client.csr

#5 Sign Client Key
openssl x509 -req -days 365 -in husband_client.csr -CA projects_ca.crt -CAkey projects_ca.key -set_serial 001 -out husband_client.crt

#6 Converet Client Key to p12
openssl pkcs12 -export -out husband_client.p12 -inkey husband_client.key -in husband_client.crt -certfile projects_ca.crt

Then I repeat steps 4-5 for 'wife_client'.

But I can NOT import BOTH wife_client.p12 AND husband_client.p12 into Chrome.

Specifcally, in Chrome when I import the 2nd key. It asks for the p12 password, which I enter. But then it gives this error:

"Unknown Error"

In Firefox, I import the 2nd key, it also asks for the password which I enter, then I get this error:

"The PKCS #12 operation failed for unknown reasons."

Chrome is actually Chromium 53.0.2785.143

Firefox is 52.0.2 on Linux

How do I import two .p12 keys? They work individually, and I can sign into my website when I have just one installed. How can I get two installed?

Answer 1

For other people who end up here doing this with Google Chrome and getting Unknown error - I was doing testing with a backend API so my domain was localhost:3000. Google Chrome takes pk12 certs with domain 127.0.0.1 certs fine but chokes on localhost:3000. Firefox accepts them without issue.

This appears to be a bug in Chrome to me.