Tls client authentication

I currently have HA setup with the nginx ssl proxy and a letsencrypt tls server certificate and am able to connect to it remotely. Now I’d like to enable mTLS. I created a root ca, an intermediate and a client certificate using openssl. I installed the root ca on my pixel 7 (android 13) and it appears under trusted credentials as expected. Next I exported a pkcs12 bundle by concatenating the signed client cert and intermediate cert, and included the private key. When I try to upload this pkcs12 bundle to my phone, it’s not accepted and no error is displayed on the screen. If I connect the phone up via usb and in adb logcat there is an openssl error message “wrong_tag” that is display when the pkcs12 file is being read. The error is display before the phone prompts for the password to decrypt the pkcs12, so its complaining about something in the unencrypted portion of the file; not the password encrypted certificates or private key. For what it’s worth, my pkcs12 file works fine on iOS phones and on OSX. I can use it w/ mTLS to access ha on those platforms, just not on android.

Do you have mTLS working with the HA companion app on android? How did you create your client certificate? Were there any special steps you took or guidelines you followed to create a pkcs12 bundle that android 13 would accept?