Configure FTPS on an FTP server (Windows Server)
environment
- Windows Server
-
- Windows Server 2019
Currently, in Windows Server 2008 and later, other versions of Windows Server have much the same setup.
- Others
-
- SSL certificate
precondition
- IIS is set up
- You have already built an FTP site
About SSL certificates
Ftps can be used to encrypt FTP communications. In order to prove that "the communicating party is correct" and "only the correct communicating party can decrypt" in encrypted communication An SSL certificate is required.
Ssl certificates must be reliably trusted. Typically, you must purchase or obtain an SSL certificate from a service that distributes it. Ssl certificates are basically operated only on the Internet. (There is also a response for intranet)
However, if you use an SSL certificate for testing purposes, you can't buy a paid SSL certificate. This section uses self-certificates that IIS can generate for testing purposes. Encryption is not reliable, but encrypted communication can be performed by using a self-certificate.
Create a self-certificate
Start IIS Manager.
Select the server from the left tree, and then double-click the server certificate to open it.
From the menu on the right, click "Create a self-signed certificate...".
Enter a friendly name. Enter anything that is fine, but what kind of certificate is easy to understand.
A certificate is created. The expiration date is one year.
Set up certificates on FTP sites
Click the FTP site to double-click the FTP SSL settings to open it.
Select the certificate you just created because you can select it.
Ftp and FTPPS can be used together, but if you only want FTPS, check that an SSL connection is required.
When you change it, click Apply menu on the right.
Test connectivity from clients
If SSL is required, the Windows standard FTP command cannot connect.
Let's connect using the tool "WinSCP".
Try connecting with FTP here as well.
Enable encryption and connect as shown in the following figure.
You will get a warning in the following figure when connecting. This is a certificate that you created as a self-certificate, so it is an unso trusted certificate. I want to connect for the time being, so I select "Yes" and allow it.
You have confirmed that you can connect. In the lower right corner, you'll see a key icon to indicate that it's encrypted.
About using legitimate SSL certificates
You can import it from the server certificate screen that is in the description of the self-certificate. This is a similar procedure not only for FTP sites, but also for Web sites.
By the way, in IIS, the certificate is a .pfx file.csr if you have .key file, you need to convert it.