Hello,We're using the FTP Server with SSL, but when connecting with Filezilla it gives a certificate warning saying that the certificate isn't trusted. It's issued by "Cybertrust Educational CA" which is an intermediate CA, and we use the same certificate successfully on Apache, and the keystore we're using has both entries contained in it. It seems like the FTP server isn't presenting the Cybertrust Educational certificate to the client. We used to use a certificate directly from Verisign, which worked because the certificate was built into the FTP client.
Checking the certificates from Apache like this: openssl s_client -connect ourserver.warwick.ac.uk:443 shows the correct information: depth=1 /C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain0 s:/C=GB/ST=West Midlands/L=Coventry/O=The University of Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA 1 s:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CAi:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---Which is fairly normal; importantly, the CA cert is in the chain. The FTP server running on another port gives this:
depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
verify error:num=20:unable to get local issuer certificate verify return:1depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
verify error:num=27:certificate not trusted verify return:1depth=0 /C=GB/ST=West Midlands/L=Coventry/O=The University of Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain0 s:/C=GB/ST=West Midlands/L=Coventry/O=The University of Warwick/OU=Information Technology Services/CN=ourserver.warwick.ac.uk
i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA --- No CA certificate presented. keytool shows both present in the keystore: ourserver.warwick.ac.uk, 07-Jan-2008, keyEntry,Certificate fingerprint (MD5): 85:26:06:1B:10:88:E0:9D:E0:0C:58:73:0E:76:09:D0
educational, 07-Jan-2008, trustedCertEntry,Certificate fingerprint (MD5): D6:E7:7D:94:51:8C:3E:7C:62:BD:FE:77:E4:CB:B0:0F
The owner and issuer entries definitely match up. Has anybody else had this problem? Nick Howes University of Warwick, UK
smime.p7s
Description: S/MIME Cryptographic Signature
