Fabric access with client certificate auth fails

We're using Fabric secure cluster and need client certificate for CI/CD tools.

I've created both Cluster primary certificate and client certificate with this script https://gist.github.com/kagarlickij/d63a4061a1066d3a85abcc658f0856f5

so both have been uploaded to the same Kay vault and both have been installed to local keystore on my machine.

I've added client certificate to my Fabric security settings (Authentication type = Admin client, Authorization method = Certificate thumbprint).

The problem is that I can connect (I'm using Connect-ServiceFabricCluster in PowerShell) to Fabric cluster with Cluster primary certificate but can't with Client certificate. I'm getting this error: Connect-ServiceFabricCluster : FABRIC_E_SERVER_AUTHENTICATION_FAILED: 0x800b0109

Please advice what can be done?

Based on this link the corresponding error code for 0x800b0109 is:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

You're using a self-signed certificate as client cert. I'm not sure it's supported as explained in the Service Fabric Security documentation, moreover you'll have to make sure the SSL certificate has been added inside your local Store.

Client X.509 certificates

Client certificates typically are not issued by a third-party CA. Instead, the Personal store of the current user location typically contains client certificates placed there by a root authority, with an Intended Purposes value of Client Authentication. The client can use this certificate when mutual authentication is required. Note

All management operations on a Service Fabric cluster require server certificates. Client certificates cannot be used for management.