You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-users@mina.apache.org by Nick Howes <n....@warwick.ac.uk> on 2008/05/14 17:16:30 UTC
Untrusted SSL certificate when using intermediate CA
Hello,
We're using the FTP Server with SSL, but when connecting with Filezilla
it gives a certificate warning saying that the certificate isn't
trusted. It's issued by "Cybertrust Educational CA" which is an
intermediate CA, and we use the same certificate successfully on Apache,
and the keystore we're using has both entries contained in it. It seems
like the FTP server isn't presenting the Cybertrust Educational
certificate to the client. We used to use a certificate directly from
Verisign, which worked because the certificate was built into the FTP
client.
Checking the certificates from Apache like this:
openssl s_client -connect ourserver.warwick.ac.uk:443
shows the correct information:
depth=1 /C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=West Midlands/L=Coventry/O=The University of
Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
1 s:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Which is fairly normal; importantly, the CA cert is in the chain. The
FTP server running on another port gives this:
depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of
Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of
Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of
Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=GB/ST=West Midlands/L=Coventry/O=The University of
Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
---
No CA certificate presented. keytool shows both present in the keystore:
ourserver.warwick.ac.uk, 07-Jan-2008, keyEntry,
Certificate fingerprint (MD5):
85:26:06:1B:10:88:E0:9D:E0:0C:58:73:0E:76:09:D0
educational, 07-Jan-2008, trustedCertEntry,
Certificate fingerprint (MD5):
D6:E7:7D:94:51:8C:3E:7C:62:BD:FE:77:E4:CB:B0:0F
The owner and issuer entries definitely match up.
Has anybody else had this problem?
Nick Howes
University of Warwick, UK
Re: Untrusted SSL certificate when using intermediate CA
Posted by Nick Howes <n....@warwick.ac.uk>.
I know the original post was from a few months ago, but I've had a
couple of private messages asking whether & how I'd solved it so I
thought I'd post a conclusion.
There was a problem with the way we were generating our keystores. To
establish a certificate chain in a keystore, you have to import the
trusted certs as separate entries first, and _then_ import the
certificate reply from your CA. The trusted cert entries aren't used
directly at runtime, but they are used for the import to establish a
chain and record it in your key entry. examining the keystore with
keytool -v should then confirm a chain with a length greater than 1. If
an afflicted keystore already has an imported cert, a 3rd party keytool
like "Keytool IUI" can extract the key into a fresh keystore so you can
start from scratch.
Having done all that, FileZilla still complains, but at least the
keystore is properly generated now.
Nick Howes wrote:
> Hello,
>
> We're using the FTP Server with SSL, but when connecting with
> Filezilla it gives a certificate warning saying that the certificate
> isn't trusted. It's issued by "Cybertrust Educational CA" which is an
> intermediate CA, and we use the same certificate successfully on
> Apache, and the keystore we're using has both entries contained in it.
> It seems like the FTP server isn't presenting the Cybertrust
> Educational certificate to the client. We used to use a certificate
> directly from Verisign, which worked because the certificate was built
> into the FTP client.
>
> Checking the certificates from Apache like this:
> openssl s_client -connect ourserver.warwick.ac.uk:443
> shows the correct information:
>
> depth=1 /C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=GB/ST=West Midlands/L=Coventry/O=The University of
> Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
> i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
> 1 s:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
> CyberTrust Global Root
> ---
>
> Which is fairly normal; importantly, the CA cert is in the chain. The
> FTP server running on another port gives this:
>
> depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of
> Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of
> Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of
> Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=GB/ST=West Midlands/L=Coventry/O=The University of
> Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
> i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
> ---
>
> No CA certificate presented. keytool shows both present in the keystore:
>
> ourserver.warwick.ac.uk, 07-Jan-2008, keyEntry,
> Certificate fingerprint (MD5):
> 85:26:06:1B:10:88:E0:9D:E0:0C:58:73:0E:76:09:D0
> educational, 07-Jan-2008, trustedCertEntry,
> Certificate fingerprint (MD5):
> D6:E7:7D:94:51:8C:3E:7C:62:BD:FE:77:E4:CB:B0:0F
>
> The owner and issuer entries definitely match up.
>
> Has anybody else had this problem?
>
> Nick Howes
> University of Warwick, UK