locked
FTPS filezilla 3.24 "Key usage violation in certificate has been detected." RRS feed

  • Question

  • User-1837510449 posted

    Hi,

    I'm using FTPS to protect access to IIS FTP services, with self signed certificates. Starting from version 3.24, filezilla reports that "Key usage violation in certificate has been detected." because there is some restriction on the certificate key usage parameters. It seems that the IIS certificate is not full RFC 5280 4.2.1.3 compliant.

    Any idea to create a compliant certificate on IIS?

    thanks

    Monday, January 16, 2017 9:01 AM

All replies

  • User690216013 posted

    How did you create this certificate? Tools such as OpenSSL can help you create almost all kinds of certificates for testing purposes,

    https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs 

    Monday, January 16, 2017 12:02 PM
  • User-1837510449 posted

    I created it using integrated IIS feature, creating a self signed (or a domain, I don't remember)...

    Monday, January 16, 2017 12:13 PM
  • User690216013 posted

    If you do create a self signed certificate via IIS Manager, then it lacks of "Digital Signature" key usage.

    Try to use other tools and they should allow you to specify which key usages are required.

    Tuesday, January 17, 2017 5:47 AM
  • User1163598628 posted

    Have a similar issue to the original author of this post.  I exported the generated keystore and certificate from IIS v8.5 and used its private key to generate a self-signed certificate with openssl.  The "digitalSignature" key usage flag was added to it.  Still getting the same error from the GnuTLS component...

    Error:	GnuTLS error -48: Key usage violation in certificate has been detected.
    Error:	Could not connect to server

    Generated the self-signed certificate with the following commands...

    openssl req -key "key.openssl" -new -x509 -days 365 -out "test.crt"

    With the following openssl.cnf

    x509_extensions = v3_ca # The extentions to add to the self signed cert

    [ v3_ca ] keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

    Wednesday, February 1, 2017 4:40 PM
  • User1732344959 posted

    I had the problem - and a couple of posts here - and then below helped me fix it (based first on ideas I saw above). 

    I had installed in the past openssl-Win32.  Assuming it is installed, I opened an Administrator Cmd line window - to be certain I could to the mapping (I think mapping is an admin function - but why take a chance - just do it).  Also- out of habit/convenience I mapped RANDFILE to my c:\tmp (not c:\demo)

    https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/

    Retrospectively - the C:\tmp mapping *might* have been a mistake - I received the following error: unable to write random state.

    To me it had no discernible effects, and I ignored the error altogether (it's not a terribly secure site - just for private on the road stuff) - went through the ENTIRE commands - as he spelled them out.  I just want the error gone and be able to use filezilla on this portable FTP server...  To you- it might be capital.

    His portion of his tutorial on OpenSSL ends on the command pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt

    I needed the following (using all the same file names...):  pkcs12 -export -out ia.pfx -inkey ia.key -in ia.crt -chain -CAfile ca.crt

    PFX is the type of file you can import in IIS.

    Consideration on OpenSSL configuration:  I use the good juice above :-)

    ####################################################################
    [ req ]
    default_bits        = 2048
    default_keyfile     = privkey.pem
    distinguished_name    = req_distinguished_name
    attributes        = req_attributes
    x509_extensions    = v3_ca    # I made good use of this - and made a note in my config file The extentions to add to the self signed cert
    # based on FEB 2017 https://forums.iis.net/t/1234970.aspx?FTPS+filezilla+3+24+Key+usage+violation+in+certificate+has+been+detected+

    # Passwords for private keys if not present they will be prompted for
    input_password = something
    output_password = something

    Beside that I also filled out the Country code / State / Company / my email.  The obvious stuff (again, I do this once every 10th blue moon).

    Pay attention where the tutorial tells you to change the company name - I followed this - and was able to import the certificate from IIS (in the FTP root).  ANd now I can use the latest filezilla build, it shows my certificate signed by the above process  (ah ah).

    Hope it helps some.  Cheers,

    A.

    Thursday, February 23, 2017 7:29 PM
  • User-1837510449 posted

    I solved creating certificates via powershell, not IIS manager. No OpenSSL required, Win can create well done certificates, but IIS manager has bad parameters when calling API (I think) so certificates are not "perfect".

    Friday, February 24, 2017 8:26 AM
  • User1732344959 posted

    @topogigio - thanks - it works - a lot simpler but not as cute as openSSL imo b/c you don't get "your" authority - by doing what follows.  To repeat/paraphrase http://windowsitpro.com/blog/creating-self-signed-certificates-powershell Start powershell:

    New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ftp.orwhatever.yourorg.com
    # you get a fingerprint: 40CHARLONGFINGERPRINT0000001123234AAAAAA
    $yourpwd = ConvertTo-SecureString -String "pick type yr pwd here" -Force -AsPlainText
    # Copy the fingerprint you got in the first output - then paste it as you issue the following:
    Export-PfxCertificate -cert cert:\localMachine\my\40CHARLONGFINGERPRINT0000001123234AAAAAA -FilePath c:\temp\cert.pfx -Password $yourpwd
    Friday, February 24, 2017 3:13 PM
  • User-1763782197 posted

    Same issue 

    Wednesday, July 17, 2019 2:44 PM