Advanced SSL/TLS Certificate Management

SSL/TLS certificates are essential for securing FTPS and HTTPS connections in CompleteFTP. The CLI provides comprehensive certificate management capabilities, including importing existing certificates, generating self-signed certificates, and exporting certificates for backup or use elsewhere.

Overview

Certificate management in CompleteFTP involves:

  • Importing certificates - Using existing certificates from files or certificate stores
  • Generating certificates - Creating self-signed certificates for testing or internal use
  • Exporting certificates - Backing up certificates or preparing them for use elsewhere
  • Certificate properties - Viewing certificate details and validation information

All certificate operations use the completeftp site cert command group.

Viewing Certificate Information

Show Current Certificate

# Display current certificate for the default site
completeftp site show default sslCertificate

# View certificate with interactive viewer
completeftp site show default sslCertificate -v

# Show specific certificate properties
completeftp site show default sslCertificate.commonName sslCertificate.validTo

Certificate properties include:

  • commonName - The certificate's common name (usually the domain)
  • organization - Organization name
  • organizationalUnit - Department or unit
  • locality - City or location
  • state - State or province
  • country - Country code
  • validFrom - Certificate start date
  • validTo - Certificate expiration date
  • serialNumber - Unique certificate identifier
  • thumbprint - Certificate fingerprint
  • keySize - Private key size in bits

Importing Certificates

Import from PFX/PKCS#12 File

PFX files contain both the certificate and private key:

# Import PFX file with password
completeftp site cert import default /path/to/certificate.pfx mypassword

# Import PFX file without password
completeftp site cert import default /path/to/certificate.pfx ""

Import from Separate Certificate and Key Files

When you have separate certificate and private key files:

# Import certificate with separate private key file
completeftp site cert import default /path/to/certificate.crt "" /path/to/private.key

# Import with password-protected private key
completeftp site cert import default /path/to/certificate.crt "" /path/to/private.key keypassword

Common Import Scenarios

# Import Let's Encrypt certificate
completeftp site cert import default /etc/letsencrypt/live/example.com/fullchain.pem "" /etc/letsencrypt/live/example.com/privkey.pem

# Import commercial certificate with intermediate chain
completeftp site cert import default /path/to/domain.crt "" /path/to/domain.key

# Import certificate from Windows certificate store export
completeftp site cert import default /path/to/exported.pfx storepassword

Generating Self-Signed Certificates

Self-signed certificates are useful for testing, development, or internal networks where a commercial certificate authority isn't required.

Basic Certificate Generation

# Generate a basic self-signed certificate
completeftp site cert generate default \
  example.com \
  "Example Corp" \
  "IT Department" \
  "New York" \
  "New York" \
  "US" \
  2024-01-01 \
  2025-01-01 \
  2048

Parameters in order:

  1. siteName - Site to generate certificate for
  2. cn - Common Name (domain name)
  3. o - Organization
  4. ou - Organizational Unit
  5. l - Locality (city)
  6. st - State/Province
  7. c - Country (2-letter code)
  8. from - Valid from date (yyyy-mm-dd)
  9. to - Valid to date (yyyy-mm-dd)
  10. keySize - Key size in bits (2048 or 4096)

Advanced Certificate Generation

# Generate certificate with 4096-bit key
completeftp site cert generate default \
  secure.example.com \
  "Example Corporation" \
  "Security Department" \
  "San Francisco" \
  "California" \
  "US" \
  2024-01-01 \
  2026-01-01 \
  4096

# Generate certificate for internal use
completeftp site cert generate default \
  internal.company.local \
  "Company Internal" \
  "IT Operations" \
  "Chicago" \
  "Illinois" \
  "US" \
  2024-01-01 \
  2029-01-01 \
  2048

Export Private Key During Generation

# Generate certificate and export private key
completeftp site cert generate default \
  example.com \
  "Example Corp" \
  "IT Department" \
  "New York" \
  "New York" \
  "US" \
  2024-01-01 \
  2025-01-01 \
  2048 \
  --exportPrivateKey=true

Exporting Certificates

Export Certificate Only

# Export certificate without private key (safe for sharing)
completeftp site cert export default

This exports the certificate in a format suitable for:

  • Sharing with clients for certificate validation
  • Installing in client certificate stores
  • Certificate chain verification

Export Certificate with Private Key

# Export certificate including private key (keep secure!)
completeftp site cert export default --exportPrivateKey=true

Warning: Exported private keys must be kept secure. Anyone with access to the private key can impersonate your server.

Certificate Validation and Troubleshooting

Common Certificate Issues

Certificate Expiration

# Check certificate expiration
completeftp site show default sslCertificate.validTo

# Generate new certificate before expiration
completeftp site cert generate default example.com "Example Corp" "IT" "New York" "NY" "US" 2024-01-01 2025-01-01 2048

Common Name Mismatch

# Check current common name
completeftp site show default sslCertificate.commonName

# Generate certificate with correct common name
completeftp site cert generate default correct.example.com "Example Corp" "IT" "New York" "NY" "US" 2024-01-01 2025-01-01 2048

Key Size Issues

# Check current key size
completeftp site show default sslCertificate.keySize

# Generate certificate with stronger key
completeftp site cert generate default example.com "Example Corp" "IT" "New York" "NY" "US" 2024-01-01 2025-01-01 4096

Certificate Chain Validation

For commercial certificates, ensure the complete certificate chain is imported:

# Import certificate with full chain
completeftp site cert import default /path/to/fullchain.pem "" /path/to/privkey.pem

# Verify certificate properties after import
completeftp site show default sslCertificate -v

Certificate Management Workflows

Development Environment Setup

# 1. Generate self-signed certificate for development
completeftp site cert generate default \
  dev.example.com \
  "Example Corp Dev" \
  "Development" \
  "Local" \
  "State" \
  "US" \
  2024-01-01 \
  2025-01-01 \
  2048

# 2. Enable FTPS and HTTPS
completeftp site set default ftpsEnabled=true
completeftp site set default httpsEnabled=true

# 3. Verify certificate is active
completeftp site show default sslCertificate.commonName

Production Certificate Deployment

# 1. Import commercial certificate
completeftp site cert import default /path/to/production.pfx certificatepassword

# 2. Verify certificate details
completeftp site show default sslCertificate

# 3. Test secure connections
# 4. Monitor certificate expiration

Certificate Renewal Process

# 1. Check current certificate expiration
completeftp site show default sslCertificate.validTo

# 2. Obtain new certificate from CA
# 3. Import new certificate
completeftp site cert import default /path/to/renewed.pfx newpassword

# 4. Verify new certificate is active
completeftp site show default sslCertificate.validTo

# 5. Test all secure connections

Certificate Backup and Recovery

# 1. Export current certificate for backup
completeftp site cert export default --exportPrivateKey=true > certificate-backup.pfx

# 2. Store backup securely
# 3. Document certificate details
completeftp site show default sslCertificate > certificate-info.txt

# 4. For recovery, import from backup
completeftp site cert import default certificate-backup.pfx backuppassword

Security Best Practices

Certificate Security

  1. Use strong key sizes - Minimum 2048 bits, prefer 4096 bits for high-security environments
  2. Regular renewal - Replace certificates before expiration
  3. Secure private keys - Protect private key files with appropriate permissions
  4. Certificate validation - Verify certificate details after import
  5. Backup certificates - Maintain secure backups of certificates and private keys

Common Name Configuration

  1. Match server hostname - Common name should match the server's DNS name
  2. Wildcard certificates - Use *.example.com for multiple subdomains
  3. Subject Alternative Names - Include all relevant hostnames
  4. IP address certificates - Avoid using IP addresses in certificates when possible

Certificate Authority Selection

  1. Trusted CAs - Use well-known certificate authorities for production
  2. Extended validation - Consider EV certificates for high-trust environments
  3. Certificate transparency - Ensure certificates are logged in CT logs
  4. Revocation checking - Implement OCSP or CRL checking

Troubleshooting Certificate Issues

Import Failures

# Check file permissions
ls -la /path/to/certificate.pfx

# Verify file format
file /path/to/certificate.pfx

# Test with empty password
completeftp site cert import default /path/to/certificate.pfx ""

# Check for file corruption
openssl pkcs12 -info -in /path/to/certificate.pfx

Connection Issues

# Verify certificate is loaded
completeftp site show default sslCertificate.commonName

# Check SSL/TLS settings
completeftp site show default minimumSSLVersion

# Test certificate with openssl
openssl s_client -connect yourserver:990 -servername yourserver

Certificate Validation Errors

# Check certificate dates
completeftp site show default sslCertificate.validFrom sslCertificate.validTo

# Verify common name
completeftp site show default sslCertificate.commonName

# Check certificate chain
completeftp site show default sslCertificate -v

Quick Reference

Certificate Commands

# Import certificate
completeftp site cert import <siteName> <certFilePath> [certPassword] [privateKeyFilePath] [privateKeyPassword]

# Generate self-signed certificate
completeftp site cert generate <siteName> <cn> <o> <ou> <l> <st> <c> <from> <to> <keySize> [--exportPrivateKey=true/false]

# Export certificate
completeftp site cert export <siteName> [--exportPrivateKey=true/false]

# View certificate properties
completeftp site show <siteName> sslCertificate

Common Certificate Properties

# Certificate details
sslCertificate.commonName
sslCertificate.organization
sslCertificate.validFrom
sslCertificate.validTo
sslCertificate.keySize
sslCertificate.thumbprint

File Formats

  • PFX/PKCS#12 - Contains certificate and private key (password protected)
  • PEM - Text format, separate certificate and key files
  • CRT/CER - Certificate only, various formats
  • KEY - Private key file, usually PEM format

Key Sizes

  • 2048 bits - Minimum recommended for production
  • 4096 bits - Higher security, more CPU intensive
  • 1024 bits - Deprecated, not recommended