Start a new topic
Answered

Confusion in creating client certificates

 Hi, Help is required while creating client certificates.

 

I am trying to test the client certificate in CrushFTP. I am able to do remote login for sftp and ftp. I wanted to restrict the remote login from clients by creating SSL certificates. I followed the below link to do this:

http://www.crushftp.com/crush7wiki/Wiki.jsp?page=Client%20certificate


But couldn't able to make it out.


1. Where to persist the host-key?

2. Which key(myuser.p12 or myuser.pem as mentioned in that link) has to use at end-user side?

Can anyone please provide me the details to do the same?




Best Answer

myuser.p12 is what most web browsers or FTPES clients will want.


This has nothing to do with SFTP.  SFTP and FTPES have nothing in common between them.


So clients that do FTPES client cert based connections are going to ask for the p12 keystore file.


--Ben


Answer

myuser.p12 is what most web browsers or FTPES clients will want.


This has nothing to do with SFTP.  SFTP and FTPES have nothing in common between them.


So clients that do FTPES client cert based connections are going to ask for the p12 keystore file.


--Ben


1 person likes this
Thanks Ben for quick response.
1. Do ineed to add the generated private key in anywhere in the CrushFTP server?
2. In which directory do I need to create key-store from this command "
keytool -import -alias crushftp_ca -keystore crush.keystore_trust -trustcacerts -file ca.pem -storepass password
"???
3. And after generating myuser.p12 file, I would like to use winscp as a client to connect to the server. But winscp supporting only .ppk file. So changing the .p12  to .ppk format helps??

Help me to get out of this!!




 

Moreover, Do i need to make any key changes in ./ssh_host_rsa_key part?  That's what I mean in the 1st point on the above comment. :-)



 

No changes there because that is SFTP and has nothing to do with FTPES or client cert auth.  There is no reason you would need to change anything on the SFTP port...pretty much ever.  So if you think you need to, your probably wrong. :)


1 person likes this
Cool. that helps. :-) How about these  :

In which directory do I need to create key-store from this command "
keytool -import -alias crushftp_ca -keystore crush.keystore_trust -trustcacerts -file ca.pem -storepass password
"???
3. And after generating myuser.p12 file, I would like to use winscp as a client to connect to the server. But winscp supporting only .ppk file. So changing the .p12  to .ppk format helps??

 

Almost everything you have said indicates you want SFTP key auth.  I don't think you want anything to do with client cert auth.  Forget all of that.  Its so rare that anyone actually uses SSL client cert auth.


There is absolutely nothing at all in common with SFTP and FTPES.  If you see "SSL" or "TLS", then that has nothing to do with SSH or SFTP.  You have just confused yourself that someone wanted to do client key auth, and so you started looking into SSL client key auth.  Its the wrong area.  Its not related.  Very few clietns can do client cert auth.  But 100% of SFTP clients do public key auth.


So make your SSH key file using PuttyGen or something.  Then use that private key in your SFTP client.  Copy the public key to the crush server somewhere.  Then use the user manager, username, quick filter, ssh, browse and choose the public key for that user and save.  Now you can login to that user using your private key file.


--Ben




1 person likes this
Okay. Thanks for your patience.

Let me put it this way, I want to setup an crushftp server where it should restrict the clients if they don't have SSL certificate. I don't want any of the unknown clients to connect to my server  unless I issue the certs to them.  Still am I confused ?

 

That means you should remove your SFTP port, and don't try and use WinSCP, or most other clients.  Only a few clients can do client cert auth over SSL with FTPES.  Only those clients will work, and 99% of people won't have a clue how to connect.


Are you sure you want to do that?


I think you really do want SFTP.  SFTP has no such concept that your referring to.  You can trust users if they give you a key, but there is no concept of signing a key of theirs and giving it back to them before they can connect to you.


And unless your clients are comfortable using openssl to make their own private keys and sending you a cert to sign...you doing it for them defeats the whole point of security to begin with...


--Ben


1 person likes this
Hi Ben. That's clear now. Earlier, Got confused with FTPS and SFTP.

Just to clarify on SFTP side, I generated public and private key using puttygen. Copied the public key in the crushftp-server as shown in the figure below and using private-key.ppk file for remote login. Is that okay to use SFTP with SSH keys? If yes, client is still having problem on accessing the Crushftp server. Thanks in advance :-)



 

The client used the username "admin" (very bad idea), and they used the private key in their client (how did you configure the client to sue the private key?)


And you named the public key genericly like that?  public-key


What does the crush log show for the attempted login?


Crush 7.5?

1. I supplied .ppk file  to winscp in advanced-->ssh-->authentication and then uploaded .ppk file.
2. Yes, I named public key like that only. Do I need to use .pub extension?
3. Yes, I am using crush 7.5. Moreover i tried with other user as well instead of admin user.
The logs says as follows:
ACCEPT|04/20/2016 09:49:01.292|Connection Error
ACCEPT|04/20/2016 09:49:01.292|There is now 1 active connection
ACCEPT|04/20/2016 09:49:18.832|[HTTP:2_36490:lookup:8080] Accepting connection from: 0.0.0.0:36490
POST|04/20/2016 09:49:18.872|[HTTP:2_36490:admin:0.0.0.0] WROTE: *HTTP/1.1 200 OK*
ACCEPT|04/20/2016 09:49:31.509|[SFTP:lookup:2222][25] Accepting connection from: 192.168.1.124:54631
ACCEPT|04/20/2016 09:49:31.509|:127.0.0.1
ACCEPT|04/20/2016 09:49:31.510|:127.0.0.1
ACCEPT|04/20/2016 09:49:31.510|There are now 2 active connections
ACCEPT|04/20/2016 09:49:31.510|:127.0.0.1
ACCEPT|04/20/2016 09:49:31.511|There are now 3 active connections
ACCEPT|04/20/2016 09:49:31.511|:127.0.0.1
SSH_SERVER|04/20/2016 09:49:31.512|SSHD-TRANSFER-1
SSH_SERVER|04/20/2016 09:49:31.512|java.io.IOException: Failed to negotiate a transport component
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.sshd.TransportProtocol.B:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.sshd.TransportProtocol.B:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.sshd.TransportProtocol.A:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.sshd.TransportProtocol.B:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.sshd.TransportProtocol.onSocketRead:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.nio.SocketConnection.processReadEvent:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.nio.Daemon$_C.processSelectionKey:-1
SSH_SERVER|04/20/2016 09:49:31.512|com.maverick.nio.SelectorThread.run:-1
ACCEPT|04/20/2016 09:49:31.513|Connection Error


 

Re-update CrushFTP 7.5 again to get a newer build. I think you have an older build of 7.5 with library issues.  You aren't even getting to authentication issues.

I will do that. Thank you so much :-)
Login to post a comment