SSL - Client Certs - Troubleshooting

Like other connection problems, such as with FTP connections, client certificate problems can be broken down by analyzing how much the client was able to do before problems arose. The following guide provides a quick overview of the client certificate troubleshooting process. Also make sure you familiarize yourself with the CA and credential requirements all clients need to meet to successfully connect and authenticate with a client cert.

Client cert-related connection issues are generally the result of one of three problems: failure to establish a TCP connection, failure to establish an SSL session, and failure to authenticate. When troubleshooting client cert problems, explore these factors in the order given. For FTP connections, TCP connectivity is covered in the regular FTP/SSL Troubleshooting guide; the other two issues are covered here.

Problem: Cannot Connect
- Make sure firewall and other basic connectivity issues do not apply
- Is the client configured to use a client certificate?
- Is the client OK with the MOVEit Transfer server certificate?
- Is the CA of the client certificate installed in the Microsoft Trusted Root Certificate Store of MOVEit Transfer? (If not, is the client certificate itself installed here?)
Problem: Cannot Authenticate
- If you cannot connect, you don't need to worry about authentication issues yet.
- Check the user profile.
  - Is a client certificate required? (If not, this is a password problem.)
  - If a password is required when a client certificate is required, did the client provide one?
  - If the org-level option to match cert CNs to usernames/realnames is enabled and the client certificate CN matches the username/realname of this user, is the CA of the client cert in the org-level list of Trusted CAs?
  - Otherwise, are there any entries in the user's client cert holding tank? (If so, accept the appropriate entry.)
  - Is the CN of the client cert listed as an accepted cert in the user profile? (If so, make sure the CA of the client cert is in the org-level list of Trusted CAs.)
- Pull a user report for the user. Examine the log entries for additional clues.

Frequently Asked Questions

Q: I checked the "require certs" on my user profile but MOVEit Transfer is ignoring the client cert.
A: You also must configure the Client Cert ports option on the FTP Ports tab of the MOVEit Transfer Config utility. Your FTP client also must connect to one of the two client cert ports rather than one of the two non-cert ports before client cert authentication will succeed.

Q: What's the best way to migrate my users to client certificates?
A: Turn on the Client Cert ports option on the FTP Ports tab of the MOVEit Transfer Config utility (and open the matching firewall ports) now. As each of your clients migrate to FTP client certificate authentication, instruct them to switch their connection parameters from a non-cert port to a client cert port.

Q: I generated a client certificate but when I try to connect it doesn't show up in the client certificate holding tank.
A: One of two things needs to occur before MOVEit Transfer will allow the client to establish an SSL connection using that client certificate. The self-generated client certificates either needs to be signed by a CA whose certificate is already in the Microsoft Trusted Root Certificate Store of MOVEit Transfer, or the self-generated client certificate itself needs to be imported into the Microsoft Trusted Root Certificate Store of MOVEit Transfer. Instructions to perform either operation are available from the Client Certs - Importing and Creating page.

Q: I accepted a client certificate CN as a valid credential for a particular user, but that user still gets a "certificate not registered" error when he tried to connect.
A: The client certificate's CA has probably not been assigned as a trusted CA within the organization. Check to see if the client certificate's CA is in the Client Cert CA Holding Tank

Additional Help

For additional help, consult the Knowledge Base on the Ipswitch support site.