Bad Certificate exception

Question

Bad Certificate exception

asked Oct 21, 2005 in Java FTP by anonymous

Hello, i'm currently evaluating the edtFTPj pro client for my company.

I'm trying to contact another company's (test)ftps server
They have a certificate signed by an intermediate verisign certificate.

I have the verisign intermediate and root certificate in my server.pem(in pem format).

When i try to connect I get a
com.enterprisedt.net.puretls.SSLThrewAlertException: Bad certificate
at com.enterprisedt.net.puretls.SSLConn.alert(SSLConn.java:200)
at com.enterprisedt.net.puretls.SSLHandshake.recvCertificate(SSLHandshake.java:290)
.............
exception.

I found a thread by leont85 with the same problem here:
http://www.enterprisedt.com/forums/view ... 70ee7c5cde

The solution here was to put the server certificate in his server.pem instead of the root(and in my case intermediate).

But the api says:
The server's certificate is matched against the certificates in the root certificate file, which is loaded using the loadRootCertificates(String) method. Some server certificates are issued by Certificate Authorities (CAs). In such cases, it is sufficient for the CA's certificate to be in the root certicate file. If a non-CA certificate is used then the server certificate itself must be in root certificate file.

Do I need to add the server certificate to my server.pem, or should i put the root and intermediate certificate?

3 Answers

anonymous · Answer 1 · 2005-10-21T20:31:13+0000

Hi

Yes, you can load the CA certificate, rather than the server certificate, as the root certificate. The latest version of edtFTPj/PRO should throw an SSLFTPCertificateException when it fails to validate a server certificate. This exception has methods for printing the certificates that the server presented (both the CA certificate and the server certificate). They should each look something like this:

To inspect this certificate, copy it into a file and use an application such as OpenSSL to decode its contents. If you're using OpenSSL, use the following command:

> openssl x509 -text < mycert.pem

This will often give you clues about why the certificate isn't being validated. For example, a couple of weeks ago another user found that the server administrator had sent him an old 512-bit certificate , and that the server was now using a newer 2048-bit certificate.

Finally, as a trial user you are entitled to e-mail based support, so you may contact support by e-mail if you require further assistance. There has literally never been a support issue that have not been able to solve, so I am confident we can get you up and running too.

- Hans (EDT)

anonymous · Answer 2 · 2005-10-23T17:11:32+0000

Thanks for your quick reply!

I upgraded to the new version and it suddenly worked. Bit strange but it's ok now..

anonymous · Answer 3 · 2005-10-23T19:06:57+0000

Yes, I forgot to mention that the latest version does contain some SSL/TLS fixes as well, which apparently were crucial in your case.

- Hans (EDT)

Bad Certificate exception

Please log in or register to add a comment.

Please log in or register to answer this question.

3 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Categories