Like other connection problems, such as with FTP connections, client certificate problems can be broken down by analyzing how much the client was able to do before problems arose. The following guide provides a quick overview of the client certificate troubleshooting process. Also make sure you familiarize yourself with the CA and credential requirements all clients need to meet to successfully connect and authenticate with a client cert.
Client cert-related connection issues are generally the result of one of three problems: failure to establish a TCP connection, failure to establish an SSL session, and failure to authenticate. When troubleshooting client cert problems, explore these factors in the order given. For FTP connections, TCP connectivity is covered in the regular FTP/SSL Troubleshooting guide; the other two issues are covered here.
Frequently Asked Questions
Q: I checked the "require certs" on my user profile but MOVEit Transfer is ignoring the client cert.
A: You also must configure the Client Cert ports option on the FTP Ports tab of the MOVEit Transfer Config utility. Your FTP client also must connect to one of the two client cert ports rather than one of the two non-cert ports before client cert authentication will succeed.
Q: What's the best way to migrate my users to client certificates?
A: Turn on the Client Cert ports option on the FTP Ports tab of the MOVEit Transfer Config utility (and open the matching firewall ports) now. As each of your clients migrate to FTP client certificate authentication, instruct them to switch their connection parameters from a non-cert port to a client cert port.
Q: I generated a client certificate but when I try to connect it doesn't show up in the client certificate holding tank.
A: One of two things needs to occur before MOVEit Transfer will allow the client to establish an SSL connection using that client certificate. The self-generated client certificates either needs to be signed by a CA whose certificate is already in the Microsoft Trusted Root Certificate Store of MOVEit Transfer, or the self-generated client certificate itself needs to be imported into the Microsoft Trusted Root Certificate Store of MOVEit Transfer. Instructions to perform either operation are available from the Client Certs - Importing and Creating page.
Q: I accepted a client certificate CN as a valid credential for a particular user, but that user still gets a "certificate not registered" error when he tried to connect.
A: The client certificate's CA has probably not been assigned as a trusted CA within the organization. Check to see if the client certificate's CA is in the Client Cert CA Holding Tank
Additional Help
For additional help, consult the Knowledge Base on the Ipswitch support site.