Client certificate PFX password is saved in plaintext

[McLaynV]

I have checked the following:

• I have searched existing issues and found nothing related to my issue.

This bug is:

• making Bruno unusable for me
• slowing me down but I'm able to continue working
• annoying
• this feature was working in a previous version but is broken in the current release.

Bruno version

3.3.0

Operating System

Windows 11

Describe the bug

I configured a PFX to be used as a client certificate for a collection. It is saved in plaintext in the opencollection.yml file (see below). IMO, the password should be treated as a secret.

opencollection: 1.0.0

info:
  name: My Collection
config:
  proxy:
    inherit: true
    config:
      protocol: http
      hostname: ""
      port: ""
      auth:
        username: ""
        password: ""
      bypassProxy: ""
  clientCertificates:
    - domain: example.com
      type: pkcs12
      pkcs12FilePath: C:\Path\to\access.pfx
      passphrase: ThisIsASecretPassword
bundled: false
extensions:
  bruno:
    ignore:
      - node_modules
      - .git

.bru file to reproduce the bug

No response

Screenshots/Live demo link

[coderabbitai]

⚠️ Possible Duplicate Issue(s)

• Allow marking client certificate passphrase field as secret or use variable to avoid exposing in bruno.json #5485

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[McLaynV]

This looks like a duplicate of #2685 which was meged 2025-10-27 and available in v2.14.0
However, I encountered it in v3.3.0

[bhavik168]

Hi, I've reproduced this on Bruno v3.4.2 (macOS). The passphrase is written in plaintext to opencollection.yml under config.clientCertificates[].passphrase. I'm going to look into a fix for this and will share if I find root cause or possible solution. Happy to open a PR once I have a solution.