Page 1 of 1
Invalid security certificate
Posted: 2009-02-09 03:44
by Meta
Hello,
I am not new to computers, but brand new to FTP servers.
I have been able to setup my FTP server to use SSL/TLS and everything is peachy.
My only issue (albeit a small one) is that when I connect the first time using FireFTP, it gives me the following warning message:
[ip address] uses an invalid security certificate.
- The certificate is only valid for [Name].
- The certificate does not come from a trusted source.
This could be a problem with the server's configuration,
or it could be someone trying to impersonate the server.
If you have connected to this server successfully in the past,
the error may be temporary, and you can try again later.
Now, I can click Add Exception and it'll work. But I was just wondering if there was a way to set up my certificate so that it doesn't show that error message. Is it possible? Is that what certificate authorities are for? Is it possible for a "self-signed certificate" (if I understand cryptographic terminology properly) to be valid/secure so as to suppress the warning?
Re: Invalid security certificate
Posted: 2009-02-09 08:32
by botg
Yes, not really and not really.
CAs only purpose is to get your money. All nice and shiny, but why should I trust some certificate only because some CA trusts it? Unless I have personally reviewed that particular CA in detail and in person, I don't trust it.
Self-signed certificates are actually more secure than certificates signed by a CA. If I get a self-signed cert promt, I call the server administrator so that he can verify the fingerprint of the certificate. Then I do know the certificate is legit.
Browsers manufacturers on the other hand seem to get payed money by the CAs so that their root certificates get included.
They even invent some special certificate classes once in a while that get sold for 100 times the price which can make the browser's address bar change color. They are only interested in profits, not actual security.
Re: Invalid security certificate
Posted: 2009-02-09 14:54
by Meta
Cool! Thanks for the explanation.
Re: Invalid security certificate
Posted: 2009-02-09 19:25
by boco
Knowing
http://www.cacert.org/ yet? They're giving out free certs.
Re: Invalid security certificate
Posted: 2009-02-09 22:17
by botg
And no browser has them included for various dubious reasons. The truth is that CAcert does not have the money to pay browser vendors for inclusion.
Re: Invalid security certificate
Posted: 2009-03-26 19:47
by forthelove
i started having troubles viewing my Linksys router after i created a security cert. for my newly created filezilla FTP server. I began a search to solve this issue. so i could access my Router again.
Code: Select all
Secure Connection Failed
An error occurred during a connection to 192.168.1.1.
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:
Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
(Error code: sec_error_reused_issuer_and_serial)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem.
I found this post on geting a certificate from cacert.org... only to get this error LOL... I blame firefox...
Code: Select all
Secure Connection Failed
www.cacert.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
* This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Or you can add an exception…
Goddamnit...
Re: Invalid security certificate
Posted: 2009-04-08 19:07
by mistyPotato
Yeah,
Yet ANOTHER example of filthy rich, greedy corporate American CEO's and their trusty equally greedy lawyers strangling the little guy to make sure that every dime goes in the THEIR pockets.
God forbid we could get a FREE certificate. (or the cure for cancer be released) OH NO!
Too much M-O-N-E-Y to be made.
Is it any wonder this Country is on the fast path to Hell?
Re: Invalid security certificate
Posted: 2009-04-08 22:59
by nomnex
botg wrote: If I get a self-signed cert promt, I call the server administrator so that he can verify the fingerprint of the certificate.
Q1. When a certificate has been created with FileZilla server, how can I check its fingerprint (XP Pro here)? I can do that locally using the client and clicking the lock, but I don't know how to view the certificate.crt file's information otherwise.
Q2. The MD5 and SHA-1 retrun different values when I check my certificat.crt file from the OS, and the MD5 and SHA-1 displayed on the certificate GUI when I open it in the client (also FZ). Can they be different values?
Q3. When creating a certificate, the Private key file and the certificate file are both contained in the certificate.crt file. I don't understand the function/purpose of the key password (in the SSL/TLS settings) and when do I need it.
Thanks
Re: Invalid security certificate
Posted: 2009-04-09 06:51
by botg
1) Certificate management tools like the commandline openssl tool
2) The signature hashes are over the raw certificate, if you hash the file you also hash headers and the base64 encoding.
3) Certificates created with a password outside of FZS.
Re: Invalid security certificate
Posted: 2009-04-09 09:41
by nomnex
botg wrote:1) Certificate management tools like the commandline openssl tool
Is there a GUI certificate management (link)? The MS certificate console is not compatible with .crt files
2 & 3 thanks
Edit: the openssl documentation is interesting but a little head of my level of understanding. The easiest way I found to find the cert. fingerprint is to open it in the FZ client and to copy it, or take a print screen.