IIS 7 and Above
FTPS filezilla 3.24 "Key usage violation in certificate has been dete...
Last post Jul 17, 2019 02:44 PM by tahaboooo
Jan 16, 2017 09:01 AM|topogigio|LINK
I'm using FTPS to protect access to IIS FTP services, with self signed certificates. Starting from version 3.24, filezilla reports that "Key usage violation in certificate has been detected." because there is some restriction on the certificate key usage
parameters. It seems that the IIS certificate is not full RFC 5280 220.127.116.11 compliant.
Any idea to create a compliant certificate on IIS?
Jan 16, 2017 12:02 PM|lextm|LINK
How did you create this certificate? Tools such as OpenSSL can help you create almost all kinds of certificates for testing purposes,
Jan 16, 2017 12:13 PM|topogigio|LINK
I created it using integrated IIS feature, creating a self signed (or a domain, I don't remember)...
Jan 17, 2017 05:47 AM|lextm|LINK
If you do create a self signed certificate via IIS Manager, then it lacks of "Digital Signature" key usage.
Try to use other tools and they should allow you to specify which key usages are required.
Feb 01, 2017 04:40 PM|edochang|LINK
Have a similar issue to the original author of this post. I exported the generated keystore and certificate from IIS v8.5 and used its private key to generate a self-signed certificate with openssl. The "digitalSignature" key usage flag was added to it.
Still getting the same error from the GnuTLS component...
Error: GnuTLS error -48: Key usage violation in certificate has been detected.
Error: Could not connect to server
Generated the self-signed certificate with the following commands...
openssl req -key "key.openssl" -new -x509 -days 365 -out "test.crt"
With the following openssl.cnf
x509_extensions = v3_ca # The extentions to add to the self signed cert[ v3_ca ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
Feb 23, 2017 07:29 PM|arn0|LINK
I had the problem - and a couple of posts here - and then below helped me fix it (based first on ideas I saw above).
I had installed in the past openssl-Win32. Assuming it is installed, I opened an Administrator Cmd line window - to be certain I could to the mapping (I think mapping is an admin function - but why take a chance - just do it). Also- out of habit/convenience
I mapped RANDFILE to my c:\tmp (not c:\demo)
Retrospectively - the C:\tmp mapping *might* have been a mistake - I received the following error:
unable to write random state.
To me it had no discernible effects, and I ignored the error altogether (it's not a terribly secure site - just for private on the road stuff) - went through the ENTIRE commands - as he spelled them out. I just want the error gone and be able to use filezilla
on this portable FTP server... To you- it might be capital.
His portion of his tutorial on OpenSSL ends on the command pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
I needed the following (using all the same file names...): pkcs12 -export -out ia.pfx -inkey ia.key -in ia.crt -chain -CAfile ca.crt
PFX is the type of file you can import in IIS.
Consideration on OpenSSL configuration: I use the good juice above :-)
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # I made good use of this - and made a note in my config file The extentions to add to the self signed cert
# based on FEB 2017 https://forums.iis.net/t/1234970.aspx?FTPS+filezilla+3+24+Key+usage+violation+in+certificate+has+been+detected+
# Passwords for private keys if not present they will be prompted for
input_password = something
output_password = something
Beside that I also filled out the Country code / State / Company / my email. The obvious stuff (again, I do this once every 10th blue moon).
Pay attention where the tutorial tells you to change the company name - I followed this - and was able to import the certificate from IIS (in the FTP root). ANd now I can use the latest filezilla build, it shows my certificate signed by the above process
Hope it helps some. Cheers,
Feb 24, 2017 08:26 AM|topogigio|LINK
I solved creating certificates via powershell, not IIS manager. No OpenSSL required, Win can create well done certificates, but IIS manager has bad parameters when calling API (I think) so certificates are not "perfect".
Feb 24, 2017 03:13 PM|arn0|LINK
@topogigio - thanks - it works - a lot simpler but not as cute as openSSL imo b/c you don't get "your" authority - by doing what follows. To repeat/paraphrase
http://windowsitpro.com/blog/creating-self-signed-certificates-powershell Start powershell:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ftp.orwhatever.yourorg.com
# you get a fingerprint: 40CHARLONGFINGERPRINT0000001123234AAAAAA
$yourpwd = ConvertTo-SecureString -String "pick type yr pwd here" -Force -AsPlainText
# Copy the fingerprint you got in the first output - then paste it as you issue the following:Export-PfxCertificate -cert cert:\localMachine\my\40CHARLONGFINGERPRINT0000001123234AAAAAA -FilePath c:\temp\cert.pfx -Password $yourpwd
Jul 17, 2019 02:44 PM|tahaboooo|LINK