When trying to log into the UCP web UI using Safari, you might be prompted for a client certificate.
This happens because UCP uses mutual TLS to ensure your data is kept safe. Most browsers, including Chrome and Firefox validate the TLS certificate presented by UCP, but don't send a client certificate to UCP, since that is optional.
Safari behaves slightly differently and always tries to send a client certificate to UCP, so you're prompted to choose one. The problem is that none of the certificates in your Keychain are trusted by UCP, so when you select a certificate, UCP won't be able to validate it, and won't be able to establish a TLS connection.
To solve this, you just need to tell Safari to not use any client certificate as shown here:
If you already chose a certificate, Safari will save your preferences and automatically authenticate with the certificate you chose, so you need to clean your preferences and make Safari prompt you again for a choice:
- Open Keychain Access from Applications > Utilities
- Select Login Keychain and All Items
- Search for "identity preference"
- Find the entry corresponding to the UCP IP address or domain name, and delete it
When you try logging into UCP, you'll be prompted for a choice.