View Full Version : Unable to create cert.
magic_
08-29-2007, 02:16 AM
Hey,
I am using ioftpd version 6.2.1 and have a fresh install. No scripts at the moment installed.
At the moment when i execute my bat file in FlashFXP the hourglass appears until the client timeouts. This is what flashfxp shows:
[R] site exec kebabfabriken.bat
[R] Connection lost: kebabfabriken
I do not get any errors in logs.
My SSL section in ioftpd.ini looks like this:
# Encryption - See "Permissions" section below for syntax. The default
# allows anyone to connect to the server.
#
# To force everyone (a good idea!) to use secure connections except for
# the default ioFTPD account which is configured to only allow connections
# from the same machine as the server use
# Require_Encrypted_Auth = !-ioFTPD *
# Require_Encrypted_Data = !-ioFTPD *
#
Require_Encrypted_Auth = !*
Require_Encrypted_Data = !*
#
# >>>>>>>>>>>> SSL CHANGE THIS <<<<<<<<<<<<<<
#
# After you have created your certificate, change this to the name you used
# which should be your dynamic DNS name, your fixed external IP address, or
# if you have neither of those a made up descriptive name for you server.
# Since all locally generated certificates will report as being unverified
# you might as well get rid of clients also complaining your cert name doesn't
# match your DNS name or IP address.
;Certificate_Name = ioFTPD
Explicit_Encryption = True
# limit encryption to a particular type: SSL2, SSL3, TLS
# leave this undefined to support any of them
;Encryption_Protocol = SSL3
# Don't set min higher than 128 or non-Vista FTP clients not built with openSSL
# won't be able to connect...
#Min_Cipher_Strength = 128
#Max_Cipher_Strength = 256
# IDNT command handler
Get_External_Ident = True
# Traffic Balancing
;Data_Devices =
;Random_Devices = True
I have created a .bat file that contains this:
makecert.exe -r -n "CN=kebabfabriken"-eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk kebabfabriken -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
I put makecert.exe, certmgr.exe, kebabfabriken.bat in a folder that i access when using Flashfxp and i have chmod:ed that folder to 777. I am using the ioFTPD account so i should have maximum permission. ioftpd is installed as a service and using the local system account option to log on. Is this incorrect?
Does anyone know what I am doing wrong?
Zer0Racer
08-29-2007, 03:20 AM
I would run that in a regular command prompt. Though it seems you're missing the certs filename in the bat-file. Add ie. ioFTPD.cer after -sy 12. And you might have to put a space between the CN part and "-eku".
Then it should generate a file called ioFTPD.cer that you have to install/import (double-click). You also have to change some things in your ioFTPD.ini, ie. removing a couple of # and ; so that those options are active.
### Encryption ###
Require_Encrypted_Auth = !*
Require_Encrypted_Data = !*
Certificate_Name = kebabfabriken
Explicit_Encryption = True
;Encryption_Protocol = TLS
Min_Cipher_Strength = 128
Max_Cipher_Strength = 256
/ZR
magic_
08-29-2007, 04:17 AM
Hey ZR, thx for the tips.
I missed the space between "CN=kebabfabriken" -eku.
I tried to execute the bat file in the command prompt and a windows pops up saying that makecert.exe is not a valid 32-bit application and the prompt says failed.
I got my hands on a another makecert.exe file and now i get this:
makecert.exe -r -n "CN=kebabfabriken" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk kebabfabriken -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 kebabfabriken.cer Error: Can't create the key of the subject ('kebabfabriken')
Failed
I haven't made the changes you suggested to the ioftpd.ini file, if i understood you correctly, that should be after the cert is created and imported?
Btw, should i use sha1 or md5? what is recommended? I heard sha1 for security, md5 for performance?
Zer0Racer
08-29-2007, 06:23 AM
They way I do it using a bat-file called rsa_keygen.bat and it looks like this@echo off
echo This batch will generate an SChannel compatible RSA 1024bits key for your ioFTPD
echo -----
set temphost=
set /P temphost=Please enter your server's hostname (example: xxx.dyndns.org):
echo Please Wait ... generating new certificate
echo -----
makecert.exe -r -n CN=%temphost% -b 01/01/2005 -e 01/01/2015 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ioftpd.cer
echo -----
pause
The version of makecert.exe is 5.131.1863.1 and when I try the exact command you're using it works. Which Windows version are you using? Maybe there is a special makecert version for it or something.
/ZR
EDIT: After some research I found that there is a special version of makecert for Windows Vista and if you try to run it on WinXP SP2 it says it's not a valid 32-bit application. (http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=340297&SiteID=1) They suggest downloading the codesigningX86.exe from cryptguard.com (http://www.cryptguard.com/documentation_resources_tools.shtml) since it's no longer available from microsoft.com. Direct link: https://www.cryptguard.com/files/codesigningx86.exe
Hope it helps.
magic_
08-29-2007, 07:41 AM
ZR,
I made an exact copy of the contents of your rsa_keygen.bat file. I also checked my makecert.exe version and it seems to be identical to the one you have, i.e 5.131.1863.1 .
Here is the output of your .bat file:
C:\Documents and Settings\magic\Desktop>rsa_keygen.bat
This batch will generate an SChannel compatible RSA 1024bits key for your ioFTPD
-----
Please enter your server's hostname (example: xxx.dyndns.org):kebabfabriken.xxxxx.xxx
Please Wait ... generating new certificate
-----
Error: Can't create the key of the subject ('JoeSoft')
Failed
-----
Press any key to continue . . .
I can't seem to figure out where JoeSoft come from?
I use a special version of WinXP Pro SP2. Its pretty stripped down (using nlite) to use very little memory and other resources. Maybe that could be the cause too, that something ( a service etc) is needed to create certificates? Any ideas of what makecert.exe is dependent of if that is the case?
I tried creating a certificate on my laptop which worked without any problem using my .bat file, not your rsa_keygen.bat file. Whats weird is that i use the same stripped down version of Windows XP pro SP2 on my laptop. Is is possible to copy it over to my other pc? wild shot, but i assume you cant do that. hmm :(
This is the line that worked for me on my laptop:
makecert.exe -r -n "CN=kebabfabriken" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk kebabfabriken -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 kebabfabriken.cer
Ideas? :/
Double check via certmgr that you don't already have a certificate installed with the name you're trying to use...
I'm guessing the stripped down XP you're using is the real problem here now. Try comparing your laptop services to the stripped version for things related to crypto...
Zer0Racer
08-29-2007, 02:50 PM
I'm also using an nLite-modded install of WinXP Pro SP2. No problem here.
/ZR
magic_
08-30-2007, 12:22 AM
Yil,
I started certmgr.exe and found that no certificate, with any of the names i have tried, was installed. I also looked on my laptop and saw that there was certificate named kebabfabriken, hence confirming that the creation had succeeded on this machine. Both machines have the cryptographic services installed and running. I found however that this service has very little impact on the creation of the certificate. I could still create a certificate on my laptop if this service was stopped. I could not however execute certmgr.exe and view certificates when this service was stopped.
I will do a more thorough comparison of services later today, but for now, that is the only one i have found that has some "crypto" affiliation.
I am running out of ideas, usually I would just re-install windows, since my xp install is pretty fresh and its running on a 2.0Ghz opteron, 2GB RAM, 4TB system it wouldn't take that long to do. However its not in my physical presence, its more like ~300km away, so im using remote desktop to connect to it every time i need to make changes. Could the fact that im connecting remotely have anything to do with it? As you see, my guesses are becoming pretty desperate, im running out of ideas :(
I don't know if this will help, but I thought i would give it a try, the following contains info about the version of xp that im using. I am aware that this kind of info is not very welcome in this forum, so feel free to modify my post if i violate any rule, sorry :/
This CD was made using nLite:
*********What is Remaining?*********
Applications:
Calculator
Defragmenter
Drivers:
Asynchronous Transfer Mode (ATM)
Battery
Bluetooth Support
Brother Devices
Display Adapters
Display Adapters (old)
Ethernet (LAN)
Firewire (1394) Support
IBM Thinkpad
InfraRed
ISDN
MultiFunctional
Multi-port serial adapters
PCMCIA
Ports (COM & LPT)
SCSI/RAID
Sound Controllers
Toshiba DVD decoder card
Windows Image Acquisition (WIA)
Internet Utilities:
ATM Support
Client for Netware Networks
Internet Explorer
Internet Explorer Core
MAC Bridge
NetShell Cmd-Tool
Network Monitor Driver and Tools
NWLink IPX/SPX/NetBIOS Protocol
Outlook Express
Tcp/Ip Version 6
Operating System Options:
16-bit support
Administrator VB scripts
Application compatibility patch
Command-Line tools
Disk Cleanup
Extra Fonts
Floppy Support
Jet Database Engine
MDAC
Out of Box Experience (OOBE)
Printer Support
Web View
Services:
Application Layer Gateway
Background Intelligent Transfer
COM+
DHCP Client
Distributed Transaction Coordinator (DTC)
DNS Client
Event Log
Internet Authentication (IAS)
Logical Disk Manager
Management Instrumentation (WMI)
Message Queuing (MSMQ)
Network DDE
Performance Logs and Alerts
QoS RSVP
Quality of Service (QoS)
Service Advertising Protocol
Shell Services
SNMP
System Event Notification (SENS)
System Monitor
TCP/IP NetBIOS Helper
Terminal Services
Universal Plug and Play
Volume Shadow Copy
Windows Firewall/Internet Connection Sharing (ICS)
Windows Time
Wireless Zero Configuration
*Note:
Windows File protection is disabled. You can now delete that stupid Xerox folder inside your Program Files!
The Start Bar was tweaked for speed, too.
I was nice to remove the Alexa spyware for you. Alexa is spyware that Windows
XP ships out with. How nice of them. Alexa tracks your browsing habbits. I
thought spyware only came with crappy games and programs? Guess I was wrong.
Index Service is gone.
Prefetch folder in C:Windows is gone.
************************************************** ***************************************
Just to give you an idea about what was removed:
Themes (Classic Theme is only available)
Wallpaper
Windows Media Player
Windows Movie Maker
Animated Character for Search
Windows XP Tour
Screensavers
Games
Language Pack
Help
System Restore
Windows Update
If you don't see it in the long list, above - then it was probably ripped.
All help is appreciated
magic_
10-02-2007, 02:45 AM
Hello,
I just wanted to post an update on this thread.
Even though i wasn't able to create a certificate and solve the problem the way i initially wanted to, I just did a simple OS reinstall which solved the problem completely. I am now able to create certificates without any problems.
Thx to ZR and Yil for all the help.
//magic
vBulletin® v3.8.11 Alpha 3, Copyright ©2000-2024, vBulletin Solutions, Inc.