"Warning: The server's certificate is not known." when connecting to a valid server (5.9.2)

Advertisement

FictionFaction
Joined:
Posts:
2
Location:
::1

"Warning: The server's certificate is not known." when connecting to a valid server (5.9.2)

Steps:
  1. Create root CA, intermediate CA and host certificate (use CA/Browser Forum Baseline Requirements as guidance, when in doubt). Host certificate CN and SAN entries should match hostname of FTP server.
  2. Import root CA to client machine trusted certificates store (using certlm.msc, for example).
  3. Configure FTP server with enforced TLS (let's say pure-ftpd with TLS=3).
  4. Configure certificate chain on FTP server: host private, host public, intermediate CA, optionally root CA at end (root CA generally shouldn't be sent, as client should have it in own trusted CA store).
  5. Try to connect to this FTP server using WinSCP and following settings FTP, explicit TLS.
Outcome: "Warning: The server's certificate is not known." popup message. See attached log file for details.
Expected outcome: X.509 certificate chain successfully validated, connection established. It should work as in HTTPS server using same chain and web browser as client.
  • debian.dev.log (5.58 KB, Private file)
Description: Log file for step 5.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,506
Location:
Prague, Czechia

Re: "Warning: The server's certificate is not known." when connecting to a valid server (5.9.2)

The error 80092012 stands for "The revocation function was unable to check revocation for the certificate".
So the certificate is correctly recognized, but it's revocation check function is possibly misconfigured.

Reply with quote

FictionFaction
Joined:
Posts:
2
Location:
::1

@martin: certificates used in the test had no OCSP and CRL defined – which is usually conscious decision of CA owner (for example using short-living certificates issued by ACME-compatible infrastructure) and it's different situation than inaccessible revocation status information.

Web browsers don't complain in situations like that and in my opinion it shouldn't result in "Unknown certificate" warning. Certificate is OK, chain can be validated, revocation status is not expected to be checked. And if that was certificate with OCSP/CRL end-points defined, it should rather be something like "Can't check revocation status" warning instead of "Unknown certificate".

Reply with quote

martin
Site Admin
martin avatar

Re: "Warning: The server's certificate is not known." when connecting to a valid server (5.9.2)

Is the server publicly available (for testing)?

Reply with quote

Advertisement

You can post new topics in this forum