MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2014

Re: Secure FTP failure -23 Certificate is not signed by a trusted certificate authority.



fixed

A trust list is like saying "use only these CAs instead of every one in
the*SYSTEM store".

No big deal either way, they just need to be used correctly. There may be
good reason to use a trust list, but probably few and far between.

It also seems similar to creating your own certificate store, assigning
your application to that certificate store, and only storing CAs used by
that application in that store (except that if it's empty it doesn't
automatically go back to use the *SYSTEM store.).

Brad
www.bvstools.com


On Mon, Jan 20, 2014 at 2:52 PM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>wrote:

The problem was the Client FTP Trust list.
On R&D we were not using a Client FTP Trust list, R&D was working.
On Production, there was a cert from another application in the FTP Client
Trust list, thus because I didn't add the FD certs to the list, why it
didn't work.

I made it work 2 different ways.
1) Unchecked our cert from the client FTP trust list, it worked.
2) Added FD 6_VeriSignIntermediateCAs.cer to the client FTP trust list, it
worked.

I have not finalized my plan, but probably going to not use a trust list.

IBM recommends NOT to use a trust list.
Here's the note from IBM on trust list.

" When the SSL FTP client application ID is configured not to use a trust
list, then root CA that issued the remote server cert must be in the
*System store.
When configured to use a trust list, but there are no CAs in the trust
list, then it will behave as if configured not to use a trust list.
When configured to use a populated trust list, all the CAs in the
certification path must be in the *System store and in the trust list."

What is everyone else doing, trust list or no trust list?

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:
midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Sunday, January 19, 2014 9:16 AM
To: Midrange Systems Technical Discussion
Subject: Re: Secure FTP failure -23 Certificate is not signed by a trusted
certificate authority.

A self-signed cert and a CA are two different animals.

A self-signed cert is a cert, but the CA is you.


On Fri, Jan 17, 2014 at 9:09 PM, Chris Bipes <chris.bipes@xxxxxxxxxxxxxxx
wrote:

You need to capture there ca cert and import it into dcm on your
iseries

Sent from my iPhone

On Jan 17, 2014, at 6:42 PM, "Ed Carp" <ecarp@xxxxxxxxxxx> wrote:

On 01/17/2014 12:31 PM, Bradley Stone wrote:

You don't have the proper Certification Authorities (CAs) installed
on
the
machine that you are using to connect to the secure server.

I show a couple CAs in the certificate path that should be imported.
If you think they are there, try importing them one at a time again
starting from the top level CA, down the levels to the last one.

I have some instructions that will help retrieve the CAs and import
them
in
the SSL documentation at http://docs.bvstools.com

This will also happen if someone uses a self-signed certificate. Is
there a way to ignore this warning, and use a self-signed cert?


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact