Introduction

When opening Vault's UI over HTTPS, a dialog box may display a message prompting you to Select a certificate to authenticate yourself. This prompt is part of Vault's default TCP listener behavior.

If this behavior is undesired or not applicable for your particular use case, the following procedure describes how to prevent it.

Procedure

Fixing this issue requires updating your TCP listener's config stanza. For the TCP listener, Vault includes a parameter called tls_disable_client_certs, which allows you to toggle this functionality. By default, the value of this parameter is false and Vault will request client certificates when available.  

To disable this behavior, simply update the TCP listener stanza in your Vault configuration file to include the following line.

tls_disable_client_certs = "true"

Here is an example of how this parameter would be set in Vault configuration file.

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/vault-cert.crt"
  tls_key_file = "/opt/vault/tls/vault-key.key"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.crt"
  tls_disable_client_certs = "true"
}

After you make the change to the configuration file, restart the Vault service to ensure that the change takes effect.

NOTE: Setting tls_disable_client_certs = "true" will prevent users from using the TLS Certificates Auth Method.

NOTE: The tls_disable_client_certs and tls_require_and verify_client_cert fields in the listener stanza of the Vault server configuration are mutually exclusive fields. Please ensure they are not both set to true. TLS client verification remains optional with default settings and is not enforced.