Like other connection problems, such as with FTP connections, client certificate problems can be broken down by analyzing "how far did the client get." The following guide provides a quick overview of the client certificate troubleshooting process. Also make sure you familiarize yourself with the CA and credential requirements all clients need to meet to successfully connect and authenticate with a client cert.
Client cert-related connection issues are generally the result of one of three problems: failure to establish a TCP connection, failure to establish an SSL session, and failure to authenticate. All client cert troubleshooting should explore these factors in this order. For FTP connections, TCP connectivity is covered in the regular FTP/SSL Troubleshooting guide; the other two issues are covered here.
Frequently Asked Questions
Q: I checked the "require certs" on my user profile but MOVEit DMZ is ignoring the client cert.
A: You also need to configure the Client Cert ports option on the FTP Ports tab of the MOVEit DMZ Config utility. Your FTP client will also need to connect to one of the two client cert ports rather than one of the two non-cert ports before client cert authentication will succeed.
Q: What's the best way to migrate my users to client certificates?
A: Turn on the Client Cert ports option on the FTP Ports tab of the MOVEit DMZ Config utility (and open the matching firewall ports) now. As each of your clients migrate to FTP client certificate authentication, instruct them to switch their connection parameters from a non-cert port to a client cert port.
Q: I generated a client certificate but when I try to connect it doesn't show up in the client certificate holding tank.
A: One of two things needs to occur before MOVEit DMZ will allow the client to establish an SSL connection using that client certificate. The self-generated client certificates either needs to be signed by a CA whose certificate is already in MOVEit DMZ's Microsoft Trusted Root Certificate Store, or the self-generated client certificate itself needs to be imported into MOVEit DMZ's Microsoft Trusted Root Certificate Store. Instructions to perform either operation are available from the Client Certs - Importing and Creating page.
Q: I accepted a client certificate CN as a valid credential for a particular user, but that user still gets a "certificate not registered" error when he tried to connect.
A: The client certificate's CA has probably not been assigned as a trusted CA within the organization. Check to see if the client certificate's CA is in the Client Cert CA Holding Tank
Additional Help
For additional help, you may want to consult the Knowledge Base on our support site at http://ipswitchft.force.com/kb/knowledgeProduct?c=MOVEit_DMZ.