Trouble Debugging FTPS Connection -- error:0906D06C:PEM routines:PEM_read_bio:no start line

Advertisement

scott.franklin
Joined:
Posts:
2
Location:
Vermont

Trouble Debugging FTPS Connection -- error:0906D06C:PEM routines:PEM_read_bio:no start line

Hello, I come to this forum in my darkest hour in search of assistance. Full disclosure: I've never used FTPS; all previous clients are happy to share via SFTP. This client is not.
They have provided me with necessary server details, username/password (they require dual authentication with cert first, then username/password) and both SSL cert and server cert. These certs are provided as .cer's and contain only the cert/public key within them, with the format "----BEGIN CERTIFICATE----....<cert-info>.....----END CERTIFICATE----"

It's my understanding that this format is actually the .pem format (which is required by WinSCP) so renaming and using their provided SSL cert should work fine.

However, when supply either certificate in the "Client Certificate File" returns the error, "error:0906D06C:PEM routines:PEM_read_bio:no start line". I have tried changing format to UTF-8, UTF-8 BOM, and ANSI but the error persists.

What am I missing? Did my client provide bad certs perhaps? Thank you for all your help and excuse my ignorance on this subject. Most information out there boils down to "just use SFTP!" which isn't helpful.

Reply with quote

Advertisement

scott.franklin
Joined:
Posts:
2
Location:
Vermont

Update

Quick update on this situation: it's now my understanding that this client certificate must contain my private key.

but where does WinSCP pull their public key from to encrypt data sent to them? windows cert registry?

regards,

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,070
Location:
Prague, Czechia

Re: Update

scott.franklin wrote:

Quick update on this situation: it's now my understanding that this client certificate must contain my private key.
Yes for sure. A file that contains only "BEGIN CERTIFICATE..." is not enough.

but where does WinSCP pull their public key from to encrypt data sent to them? windows cert registry?
It's retrieved directly from the server. You do not have to have it upfront. Of course, only as long as their certificate is signed by a trusted authority. If that's not the case, you have to import the certificate to Windows certificate store. Otherwise WinSCP will show you a warning about an untrusted certificate and you can choose to confirm that you trust it nevertheless.

Reply with quote

Advertisement

You can post new topics in this forum