Commercial Certificates are not supported

[bctgroup]

I've spent quite a bit of time today trying to get a commercial certificate working with FileZilla, only to conclude that FileZilla doesn't support such certificates. When you think about it, it's pretty obvioius. The interface provides only for a single certificate and private key. Obviously, all commercial certificates require a CA certificate at least.

You can add the CA and Intermediate certificates to the certificate file but FileZilla will just ignore them. You can have as many Intermediate and CA certificates in the certificate file as you like but unless the FQDN Certificate is first in the file, FileZilla won't load the certificate.

I have just noticed that the latest FileZilla Client, 3.2.2.1, implicitly acknowledges this limitation by no longer displaying an error message that appeared in 2.2.18 - "The error occured [sic] at a depth of 1 in the certificate chain". Instead, it simply shows the certificate details to the user and asks them whether or not to accept it.

So, after hours of trying to get a commercial certificate to work, I've given up and gone for a self-signed one. Luckily I was using a 30 day trial one from Comodo.

BTW, I don't intend for this to be a negative post. I think FileZilla is great. I just thought I'd save anyone thinking about using a commercial certificate a lot of time!

Of course, if anyone has got a commercial certificate to work then please let me know!

[botg]

Is it in PEM format?

[bctgroup]

Yes, I converted them. Is there a way of getting it to work?

[botg]

You can add the CA and Intermediate certificates to the certificate file but FileZilla will just ignore them. You can have as many Intermediate and CA certificates in the certificate file as you like but unless the FQDN Certificate is first in the file, FileZilla won't load the certificate.

Do you mean the client or the server here?

[bctgroup]

Do you mean the client or the server here?

The server. The pem file has the client cert, 2 x intermediate certs and the ca root cert in that order.

I've tried swapping around the intermediate certs to no avail.

The server gives no errors loading these certs but the new FileZilla client doesn't give an error message, it just times out trying to negotiate a secure connection.

[botg]

Odd. Try increasing the timeout value. Which server version by the way?

[bctgroup]

Odd. Try increasing the timeout value. Which server version by the way?

Server is 0.9.30. I'll try increasing the timeouts. The thing is, whether I use a self-signed cert or the client commercial cert (without the rest of the chain), the client software still says "the server's certificate is unknown...".

Supposing the whole certificate chain was working on the server, would the end user still get this warning?

[graneman]

Hi,

the client software still says "the server's certificate is unknown...".

Are you using Filezilla as client software?

The reson for the question is that I have the same problem "the server's certificate is unknown" when I try to connect using Filezilla as a client software (Explicit TLS/SSL). And Im using vsftpd as a FTP server.

My certificate is from verisign also using chained certificates.

So I think maybe that the problem is on the client side and not on the server side, but Im not sure yet.

BR
graneman

[bctgroup]

Yes, I'm using FileZilla as the client. See my post above about the error message having been removed from the latest version of the client.

I have gone down the self-signed route on this one.

[graneman]

Yes, I'm using FileZilla as the client. See my post above about the error message having been removed from the latest version of the client.

Ok, now I have read your post above again, and this time around I got it .

>I have gone down the self-signed route on this one.
I understand why.

Thank you for the information.

/graneman