IIS 7.0 - FTP Publishing Service – Part 3: Securing an FTP site

Configure a secure FTP site using a commercial SSL

Below I will describe how to secure an existing FTP site using a SSL certificate. The certificate issued and used below will be created on an internal Certificate Authority made for testing purpose only, but the certificate enrollment process on the server is the same as when ordering a certificate from a third party certificate provider such as Verisign or Godaddy. It is also possible to create a self-signed certificate directly from within IIS, this process will be described later in the article.

Make sure you have the FTP site running and that you are able to log in to the FTP site. The FTP site used as example in this article ftp.example.com as illustrated below.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and mark the server and choose Server Certificates:

Figure A: Server Certificates

3. In the actions pane, choose Create Certificate Request:

Figure B: Server Certificates - Actions

4. In the dialog windows that pops up, fill out the required information for the certificate and click Next:

Figure C: Self-signed Certificate - Name

5. Choose the default cryptographic service provider and click Next:

Figure D: Cryptographic Service Provider

6. Save the request to a file and click Finish:

Figure E: Save Certificate request

The certificate request has now been done and is pending in IIS. The request is now ready to be sent off to a commercial 3rd party certificate provider (e.g. Verisign, Godaddy etc.).

Import Certificate request

When the certificate request gets back from the certificate provider, it needs to be imported into IIS to work.

1. In IIS Manager click the FTP server and choose Server Certificates:

Figure F: IIS Manager – Server Certificates

2. Choose Complete Certificate Request…:

Figure G: Server Certificates – Complete Certificate Request

3. Select the Certificate request, that came back from the certificate provider and enter the common name of the site and click OK:

Figure H: Complete Certificate Request

4. The certificate is now displayed in the IIS Manager and ready for use:

Figure I: Server Certificates

Enable the commercial certificate on the FTP site

When imported the SSL certificate can be enabled and applied to an FTP site. Go to the FTP site, which you want to apply the certificate to.

1. In IIS Manager select the FTP site and click FTP SSL Settings:

Figure J: FTP site – FTP SSL Settings

2. Select the certificate and the SSL policy (Allow or Required SSL) settings and click Apply:

Figure K: FTP SSL Settings

3. The SSL certificate has now been applied to the FTP site:

Figure L: FTP SSL Settings

The FTP site is now secured and requires the connection to the FTP site to be FTP-S, using a FTP client which supports FTP-S.

Configure a secure FTP site using a self-signed SSL

As described previously it is also possible to generate a self-signed SSL certificate, directly from within the Internet Information Services (IIS) Manager. This process is quicker, than compared to requesting a commercial certificate. Self-signed certificates are great for testing FTP sites or maybe internal use, but not recommended for production use.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and choose Server Certificates:

Figure M: Server Certificates

3. In the actions pane, choose Create Self-Signed Certificate:

Figure N: Server Certificates - Actions

4. In the dialog windows that pops up, give the certificate a friendly name and click OK:

Figure O: Self-signed Certificate - Name

5. The certificate is now generated and ready for use:

Figure P: Server Certificates – Generated certificates

Next step is to apply and enable this new certificate on an existing FTP site.

6. Select the FTP site (in this example: ftp.example.com) and click on FTP SSL Settings:

Figure Q: FTP site – FTP SSL Settings

7. Choose the certificate and select the settings needed (Require SSL Connections) and click apply:

Figure R: FTP site – FTP SSL Settings

The FTP site is now ready to be used and all traffic will be encrypted. An FTP client that supports FTPs is now required to connect to the new FTP site.

Connecting to an FTP site

Use an FTP client which supports FTP-S to connect to the FTP site and test the connectivity. In the example below FileZilla is used. It is important to configure the FTP server setting in FileZilla to connect using FTPs, with FileZilla the settings would be "FTPES - FTP over explicit TLS/SSL".

Figure S: FileZilla – FTPS Settings

The first time you logon to an FTP site running with a self-signed certificate, the FTP client (FileZilla) will prompt and tell you that the root of the certificate is not known. If you want to trust it and import it, click OK.

The FTP site is now ready to be used in a secure manner.

Summary