The error message "400 Bad Request - No required SSL certificate was sent" occurs during the SSL/TLS handshake. The server expects the client to present a valid certificate for identity verification, but the handshake completes or fails without one. It happens in Mutual TLS (mTLS) environments.

Server Configuration: The server is configured to require client certificates for specific resources (APIs, web services, or restricted paths). 

Client Certificate Missing: The client (browser, curl script, or application) attempted the connection without providing the required SSL certificate due to misconfiguration, an empty keystore, or incorrect file paths. 

Step 1: Validate Client and Server Requirements:

Check Client Configuration: Ensure the client (browser, curl script, or service) is configured to present the required SSL certificate and private key during the connection attempt.

Verify Certificate Trust: Confirm that the server trusts the Certificate Authority (CA) that issued the client certificate.

Match Certificate Fields: Ensure the client certificate fields (such as CN or SANs) match the specific requirements defined on the server.

Dubug Handshake: Use curl -v or a network analyzer like Wireshark to confirm that the server sends a "Certificate Request" and that the client fails to respond with a "Certificate" message.

Step 2: Configure Edge SWG Bypass: 

If the Edge SWG is intercepting the traffic, it must be configured to tunnel the request without protocol detection or authentication for the mTLS handshake to pass through to the destination server.

Recommended: Content Policy Language (CPL) Implementation Implement the following script in your CPL to bypass the affected traffic:

Review this command before running it.

;=========== For Explicit Deployments ===========================================

define condition underwriteme_Allow
    ; Add target URLs or IP addresses here
    url.domain=example.com 
end

condition=underwriteme_Allow detect_protocol(no) authenticate(no) ALLOW

;================================================================================

Diagnostic Example: 

Below is an example of the error as it appears in a verbose curl log. 

Note: Do not confuse the "Server Certificate" section with the error. The server certificate may be valid while the Client Certificate is what is missing. 

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=engine.sandbox
* start date: Jan 21 04:01:41 2026 GMT
* expire date: Apr 20 04:01:40 2026 GMT
...
> GET /v4/admin/health HTTP/1.1
> Host: engine.sandbox
...
< HTTP/1.1 400 Bad Request
< Content-Type: text/html
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>

mTLS: Mutual TLS authentication is a two-way security process. While traditional TLS only requires the server to prove its identity, mTLS requires the client to do the same. This is standard in high-security environments like financial services or healthcare.

mTLS Requirement: The server is configured to require a client certificate for specific resources, such as APIs, web services, or restricted directory paths.

The Failure: This error occurs when a client (browser, script, or service) attempts a connection without presenting the mandatory SSL certificate. This usually stems from a missing certificate in the client's keystore, an incorrect file path in a script, or a failure to configure the client to use its certificate during the TLS handshake.