FTPS filezilla 3.24 "Key usage violation in certificate has been detected."RSS

8 replies

Last post Jul 17, 2019 02:44 PM by tahaboooo

  • FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Jan 16, 2017 09:01 AM|topogigio|LINK

    Hi,

    I'm using FTPS to protect access to IIS FTP services, with self signed certificates. Starting from version 3.24, filezilla reports that "Key usage violation in certificate has been detected." because there is some restriction on the certificate key usage parameters. It seems that the IIS certificate is not full RFC 5280 4.2.1.3 compliant.

    Any idea to create a compliant certificate on IIS?

    thanks

  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Jan 16, 2017 12:02 PM|lextm|LINK

    How did you create this certificate? Tools such as OpenSSL can help you create almost all kinds of certificates for testing purposes,

    https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs 

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Jan 16, 2017 12:13 PM|topogigio|LINK

    I created it using integrated IIS feature, creating a self signed (or a domain, I don't remember)...

  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Jan 17, 2017 05:47 AM|lextm|LINK

    If you do create a self signed certificate via IIS Manager, then it lacks of "Digital Signature" key usage.

    Try to use other tools and they should allow you to specify which key usages are required.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Feb 01, 2017 04:40 PM|edochang|LINK

    Have a similar issue to the original author of this post.  I exported the generated keystore and certificate from IIS v8.5 and used its private key to generate a self-signed certificate with openssl.  The "digitalSignature" key usage flag was added to it.  Still getting the same error from the GnuTLS component...

    Error:	GnuTLS error -48: Key usage violation in certificate has been detected.
    Error:	Could not connect to server

    Generated the self-signed certificate with the following commands...

    openssl req -key "key.openssl" -new -x509 -days 365 -out "test.crt"

    With the following openssl.cnf

    x509_extensions = v3_ca # The extentions to add to the self signed cert

    [ v3_ca ] keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Feb 23, 2017 07:29 PM|arn0|LINK

    I had the problem - and a couple of posts here - and then below helped me fix it (based first on ideas I saw above). 

    I had installed in the past openssl-Win32.  Assuming it is installed, I opened an Administrator Cmd line window - to be certain I could to the mapping (I think mapping is an admin function - but why take a chance - just do it).  Also- out of habit/convenience I mapped RANDFILE to my c:\tmp (not c:\demo)

    https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/

    Retrospectively - the C:\tmp mapping *might* have been a mistake - I received the following error: unable to write random state.

    To me it had no discernible effects, and I ignored the error altogether (it's not a terribly secure site - just for private on the road stuff) - went through the ENTIRE commands - as he spelled them out.  I just want the error gone and be able to use filezilla on this portable FTP server...  To you- it might be capital.

    His portion of his tutorial on OpenSSL ends on the command pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt

    I needed the following (using all the same file names...):  pkcs12 -export -out ia.pfx -inkey ia.key -in ia.crt -chain -CAfile ca.crt

    PFX is the type of file you can import in IIS.

    Consideration on OpenSSL configuration:  I use the good juice above :-)

    ####################################################################
    [ req ]
    default_bits        = 2048
    default_keyfile     = privkey.pem
    distinguished_name    = req_distinguished_name
    attributes        = req_attributes
    x509_extensions    = v3_ca    # I made good use of this - and made a note in my config file The extentions to add to the self signed cert
    # based on FEB 2017 https://forums.iis.net/t/1234970.aspx?FTPS+filezilla+3+24+Key+usage+violation+in+certificate+has+been+detected+

    # Passwords for private keys if not present they will be prompted for
    input_password = something
    output_password = something

    Beside that I also filled out the Country code / State / Company / my email.  The obvious stuff (again, I do this once every 10th blue moon).

    Pay attention where the tutorial tells you to change the company name - I followed this - and was able to import the certificate from IIS (in the FTP root).  ANd now I can use the latest filezilla build, it shows my certificate signed by the above process  (ah ah).

    Hope it helps some.  Cheers,

    A.

  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Feb 24, 2017 08:26 AM|topogigio|LINK

    I solved creating certificates via powershell, not IIS manager. No OpenSSL required, Win can create well done certificates, but IIS manager has bad parameters when calling API (I think) so certificates are not "perfect".

  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Feb 24, 2017 03:13 PM|arn0|LINK

    @topogigio - thanks - it works - a lot simpler but not as cute as openSSL imo b/c you don't get "your" authority - by doing what follows.  To repeat/paraphrase http://windowsitpro.com/blog/creating-self-signed-certificates-powershell Start powershell:

    New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ftp.orwhatever.yourorg.com
    # you get a fingerprint: 40CHARLONGFINGERPRINT0000001123234AAAAAA
    $yourpwd = ConvertTo-SecureString -String "pick type yr pwd here" -Force -AsPlainText
    # Copy the fingerprint you got in the first output - then paste it as you issue the following:
    Export-PfxCertificate -cert cert:\localMachine\my\40CHARLONGFINGERPRINT0000001123234AAAAAA -FilePath c:\temp\cert.pfx -Password $yourpwd
  • Re: FTPS filezilla 3.24 "Key usage violation in certificate has been detected."

    Jul 17, 2019 02:44 PM|tahaboooo|LINK

    Same issue