Keys and Certificates
This chapter covers SSH key authentication for SFTP and SSL/TLS certificates for secure connections. Both are crucial for protecting your file transfers and enabling secure authentication.
Overview
Essential security setup includes:
- SSH keys - Secure, password-free authentication for SFTP
- SSL/TLS certificates - Encrypted connections for FTPS and HTTPS
- Basic security configuration - Enable secure protocols and disable weak ones
- Testing security - Verify secure connections work correctly
Part 1: SSH Key Authentication
SSH keys provide secure, password-free authentication for SFTP connections.
Quick SSH Key Setup
Step 1: Generate SSH Keys
On the client machine (where users will connect from):
# Generate modern Ed25519 key (recommended)
ssh-keygen -t ed25519 -f ~/.ssh/completeftp_key -C "user@hostname"
# Or generate RSA key (widely compatible)
ssh-keygen -t rsa -b 2048 -f ~/.ssh/completeftp_key -C "user@hostname"Note: Press Enter when prompted for a passphrase (empty for no passphrase), or enter a passphrase for added security.
Step 2: Add Public Key to User Account
# Add the public key to the user's account
completeftp user key add alice "$(cat ~/.ssh/completeftp_key.pub)"
# Or copy the key content and add it directly
completeftp user key add alice "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... alice@workstation"Step 3: Test SSH Key Authentication
# Test connection with private key
sftp -i ~/.ssh/completeftp_key alice@localhost
# Test connection (SSH agent will find the key automatically)
sftp alice@localhostSSH Key Management
View User SSH Keys
# List all SSH keys for a user
completeftp user key show alice
# View with detailed information
completeftp user key show alice -vRemove SSH Key
# First, view keys to see the index number
completeftp user key show alice
# Remove key by index (0 is the first key)
completeftp user key remove alice 0SSH Configuration
Enable SSH Key Authentication
# Enable SSH key authentication for the site
completeftp site set default sshAuthMethods="publickey"
# Or allow both password and key authentication
completeftp site set default sshAuthMethods="password,publickey"Disable Password Authentication (High Security)
# Only allow SSH key authentication
completeftp site set default sshAuthMethods="publickey"Note: Make sure you have working SSH keys before disabling password authentication!
Part 2: SSL/TLS Certificate Setup
SSL/TLS certificates are essential for securing FTPS and HTTPS connections.
Quick SSL Setup Options
Option 1: Self-Signed Certificate (Easiest)
Perfect for testing, development, or internal networks:
# Generate a self-signed certificate (valid for 1 year)
completeftp site cert generate default \
$(hostname) \
"My Organization" \
"IT Department" \
"City" \
"State" \
"US" \
$(date +%Y-%m-%d) \
$(date -d "+1 year" +%Y-%m-%d) \
2048
# Enable FTPS and HTTPS
completeftp site set default ftpsEnabled=true
completeftp site set default httpsEnabled=trueNote: Self-signed certificates will show security warnings in browsers and FTP clients. This is normal and expected.
Option 2: Let's Encrypt Certificate (Recommended)
For internet-facing servers with a domain name:
# First, obtain Let's Encrypt certificate using certbot
sudo apt update
sudo apt install certbot
# Get certificate (replace example.com with your domain)
sudo certbot certonly --standalone -d example.com
# Import into CompleteFTP
completeftp site cert import default \
/etc/letsencrypt/live/example.com/fullchain.pem \
"" \
/etc/letsencrypt/live/example.com/privkey.pem
# Enable FTPS and HTTPS
completeftp site set default ftpsEnabled=true
completeftp site set default httpsEnabled=trueOption 3: Import Existing Certificate
If you already have a certificate file (PFX format):
# Import PFX file (with password)
completeftp site cert import default /path/to/certificate.pfx mypassword
# Import PFX file (without password)
completeftp site cert import default /path/to/certificate.pfx ""
# Enable FTPS and HTTPS
completeftp site set default ftpsEnabled=true
completeftp site set default httpsEnabled=trueSSL Certificate Management
View Certificate Information
# Show current certificate details
completeftp site show default sslCertificate
# Show certificate expiration date
completeftp site show default sslCertificate.validTo
# Show certificate common name
completeftp site show default sslCertificate.commonNameCertificate Renewal
For Let's Encrypt certificates, set up automatic renewal:
# Create renewal script
sudo tee /etc/cron.daily/completeftp-cert-renewal << 'EOF'
#!/bin/bash
certbot renew --quiet --post-hook "completeftp site cert import default /etc/letsencrypt/live/$(hostname)/fullchain.pem '' /etc/letsencrypt/live/$(hostname)/privkey.pem"
EOF
# Make executable
sudo chmod +x /etc/cron.daily/completeftp-cert-renewalPart 3: Security Configuration
Enable Strong Security Settings
# Require TLS 1.2 or higher
completeftp site set default minimumSSLVersion="Tls12"
# Disable weak protocols (optional, for high security)
completeftp site set default minimumSSLVersion="Tls13"Secure Protocol Configuration
# Enable only secure protocols
completeftp site set default ftpEnabled=false # Disable plain FTP
completeftp site set default ftpsEnabled=true # Enable secure FTPS
completeftp site set default sftpEnabled=true # Enable secure SFTP
completeftp site set default httpsEnabled=true # Enable secure HTTPS
completeftp site set default httpEnabled=false # Disable plain HTTPTesting Security Setup
Test SFTP with SSH Keys
# Test SSH key authentication
ssh -i ~/.ssh/completeftp_key alice@localhost
# Test SFTP connection
sftp -i ~/.ssh/completeftp_key alice@localhostTest SSL Connections
Test FTPS
# Test FTPS connection
openssl s_client -connect localhost:21 -starttls ftpTest HTTPS
# Test HTTPS connection
curl -k https://localhost:8443/
# Test with browser
# Navigate to https://localhost:8443/ (accept security warning for self-signed certs)Verify Security Settings
# Check SSH authentication methods
completeftp site show default sshAuthMethods
# Check SSL/TLS settings
completeftp site show default minimumSSLVersion
# Check enabled protocols
completeftp site show default ftpEnabled ftpsEnabled sftpEnabled httpEnabled httpsEnabledFirewall Configuration
Basic Firewall Rules
# Allow SFTP (SSH)
sudo ufw allow 22/tcp
# Allow FTPS (control connection)
sudo ufw allow 21/tcp
# Allow FTPS passive mode
sudo ufw allow 50000:50100/tcp
# Allow HTTPS
sudo ufw allow 8443/tcp
# Block plain HTTP if not needed
sudo ufw deny 80/tcpCommon Security Issues and Solutions
SSH Key Authentication Problems
Problem: SSH key authentication fails Solution:
# Check if key is added to user account
completeftp user key show alice
# Verify SSH key authentication is enabled
completeftp site show default sshAuthMethods
# Check key file permissions (should be 600)
chmod 600 ~/.ssh/completeftp_keySSL Certificate Problems
Problem: SSL connections fail or show certificate warnings Solution:
# Check if certificate is loaded
completeftp site show default sslCertificate.commonName
# Verify certificate expiration
completeftp site show default sslCertificate.validTo
# Check if SSL protocols are enabled
completeftp site show default ftpsEnabled httpsEnabledConnection Refused
Problem: Cannot connect to secure ports Solution:
# Check if secure protocols are enabled
completeftp site show default sftpEnabled ftpsEnabled httpsEnabled
# Verify firewall allows connections
sudo ufw status
# Check service status
sudo systemctl status completeftpSecurity Best Practices
Authentication Security
- Use SSH keys instead of passwords for SFTP
- Use strong passphrases for SSH keys on shared systems
- Disable password authentication once SSH keys are working
- Regularly rotate keys for high-security environments
- Use different keys for different users/purposes
SSL/TLS Security
- Use Let's Encrypt for internet-facing servers
- Use self-signed certificates for internal/testing only
- Set minimum TLS version to TLS 1.2 or higher
- Renew certificates before expiry - set up automatic renewal
- Test connections after certificate changes
General Security
- Disable unused protocols - Only enable FTP protocols you need
- Use non-standard ports - Consider custom ports for additional security
- Enable connection limits - Prevent resource exhaustion attacks
- Monitor logs - Watch for suspicious activity
- Regular security audits - Periodically review settings
Next Steps
Once you have security configured:
- Advanced Security - For complex scenarios, see Advanced Site Configuration
- License Management - Activate your license (see License Management)
- Advanced SSH/SSL - For complex setups, see appendix documentation
Quick Reference
SSH Key Commands
# Generate SSH key
ssh-keygen -t ed25519 -f ~/.ssh/completeftp_key -C "user@hostname"
# Add key to user
completeftp user key add alice "$(cat ~/.ssh/completeftp_key.pub)"
# Test SSH connection
sftp -i ~/.ssh/completeftp_key alice@localhost
# Enable SSH key authentication
completeftp site set default sshAuthMethods="publickey"SSL Certificate Commands
# Generate self-signed certificate
completeftp site cert generate default $(hostname) "My Org" "IT" "City" "State" "US" $(date +%Y-%m-%d) $(date -d "+1 year" +%Y-%m-%d) 2048
# Import Let's Encrypt certificate
completeftp site cert import default /etc/letsencrypt/live/example.com/fullchain.pem "" /etc/letsencrypt/live/example.com/privkey.pem
# Enable SSL protocols
completeftp site set default ftpsEnabled=true httpsEnabled=true
# Test SSL connection
curl -k https://localhost:8443/Security Configuration
# Enable only secure protocols
completeftp site set default ftpEnabled=false sftpEnabled=true ftpsEnabled=true httpsEnabled=true
# Require strong TLS
completeftp site set default minimumSSLVersion="Tls12"
# SSH key authentication only
completeftp site set default sshAuthMethods="publickey"This covers the essential security setup most users need. For advanced security features, custom authentication methods, or complex certificate management, see the advanced documentation.