HOWTO: Configure FileZilla Server to use SSL/TLS with a wilcard SSL certificate

Every so often, we have the need to securely transfer large files between very remote systems, and the simplest way to do this is via FTP with the FileZilla client.  Of course the FTP protocol by itself isn’t secure, but if you enable FTPES, it generally is.  FTPES however requires a SSL certificate, and while you could allow the FileZilla server to generate it’s own self signed certificate, we like to use our existing wildcard SSL certificate which requires a few extra steps, as detailed below.

  1. Download the current version of FileZilla Server.
  2. Perform a Standard install accepting all defaults.
  3. Copy the domain’s wildcard certificate in PEM format (i.e. wildcard.jbgeek.net.pem) and the wildcard’s key file (i.e. wildcard.jbgeek.net.key) to “C:\Program Files (x86)\FileZilla Server”.      (see HOWTO: Generate and self-sign Wildcard SSL certs in Ubuntu if you need to convert your existing PFX wildcard certificate to PEM format).
  4. Open Settings in the FileZilla Server management interface and navigate to SSL/TLS settings.
  5. Select “Enable FTP of SSL/TLS support”.
  6. Browse and select the key file you copied above for the Private Key file.
  7. Browse and select the PEM file you copied above for the Certificate file.
  8. Select “Force PROT P to encrypt file transfers in SSL/TLS mode”.
  9. Adjust any other options as required (i.e. password protecting the management interface until “Admin Interface Settings” or enabling MODE Z support under File Transfer compression).
  10. Select Users from the Edit drop down menu and create your users and access rights as required.
  11. Stop and restart the FileZilla Server service.
  12. Open the FileZilla FTP Client, and connect to via FTPES to the FQDN of the FileZilla Server  (i.e. ftpes://myftpesserver.jbgeek.net, along with the username and password combination you just created).
  13. If you configured SSL/TLS correctly using the above steps, the FileZilla FTP Client should prompt you if you wish to trust this certificate – select “Always trust certificate for future sessions” and click ok.

Keep in mind you may need to adjust the ports on your firewalls to allow connectivity, which is outside the scope of this post.

As always – Use any tips, tricks, or scripts I post at your own risk.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s