Cerberus FTP Server SSL Installation Guide
SSL certificates allow you to encrypt the communication between your Cerberus FTP server and FTP clients. Using SSL protects sensitive information like usernames, passwords, and data in transit from being intercepted by unauthorized parties. In this comprehensive guide, we will discuss everything you need to know about configure and install SSL certificate on Cerberus FTP server.
Prerequisites before Installing SSL Certificate on Cerberus FTP Server
Before starting the SSL certificate installation process, make sure that the following prerequisites are met:
- You have administrative access to the Cerberus FTP server where you want to install the SSL certificate.
- The Cerberus FTP server has a resolvable domain name (e.g. ftp.yourdomain.com). Using a domain name is required for generating the SSL certificate and enabling HTTPS access.
- You have already purchased the SSL certificate for your domain from a trusted certificate authority (CA) like Comodo, DigiCert, GoDaddy, etc. The CA will email you the SSL certificate files after purchase.
- The purchased SSL certificate matches the base domain name of your FTP server. For example, if your FTP server is accessible at ftp.yourdomain.com, then the SSL cert should be for *.yourdomain.com or yourdomain.com.
- Your firewalls, routers, and network security rules allow SSL traffic on the required port numbers used by Cerberus FTP server. By default, Cerberus uses port 21 for FTP, port 990 for FTPS implicit mode, and port 900 for FTP explicit mode.
A Step-by-Step Guide to Install an SSL Certificate on Cerberus FTP Server
- Install SSL Certificate on Server
- Bind SSL Certificate in Cerberus
- Configure Firewall for SSL Traffic
- Configure FTP Client for FTPS
Step 1 – Install SSL Certificate on Server
The first step is to install the purchased SSL certificate on the Windows server running your Cerberus FTP server.
Here are the detailed steps to complete the SSL certificate installation:
- Login to your Windows server and launch the Microsoft Management Console (MMC).
- Click on File > Add/Remove Snap-in.
- Select Certificates and click Add to add the Certificates snap-in.
- Choose Computer account and click Next.
- Select Local computer and click Finish.
- Click OK to open the Certificates snap-in. This displays all certificates stored on your local computer.
- Right-click on the Personal folder and choose All Tasks > Import.
- Import the SSL certificate file (with .crt, .cer or .p7b extension) purchased from your CA. This installs the SSL certificate to your server’s certificate store.
- Next, import the private key file (with extension .key) for your certificate and place it in the Personal store.
- Close the MMC console after successfully importing the required SSL certificate files.
Once you complete these steps, the SSL certificate is installed and ready to be bound to the Cerberus FTP services on your server.
Step 2 – Bind SSL Certificate in Cerberus
Now that the SSL certificate is imported into the server’s certificate store, the next step is to bind it to the FTP service in Cerberus FTP. This will assign the SSL cert to encrypt and secure the FTP connections.
Follow these instructions to bind the installed SSL certificate within Cerberus FTP server:
- Launch the Cerberus FTP Server Manager dashboard.
- Click on the Configuration icon and select SSL/TLS.
- Switch the slider to On position under Enable SSL/TLS to activate SSL services.
- Under the Accepted certificate section, click Bind Certificate.
- Select your imported SSL certificate from the list and click OK.
- Check the Bind Port option and specify the TCP port numbers used for implicit/explicit FTPS connections.
- Click Apply Changes to bind and activate the SSL certificate for the chosen port range.
Once the binding is successful, your Cerberus FTP server is now ready to accept encrypted FTPS connections using the installed SSL certificate.
Step 3 – Configure Firewall for SSL Traffic
With the SSL certificate installed and bound in Cerberus, the final step is to allow SSL network traffic on the configured secure port numbers.
Follow these firewall configuration steps:
- Log in to your Windows server’s firewall settings.
- Create new inbound rules to allow traffic on port 990 (FTPS implicit) and port 900 (FTPS explicit).
- You can set the rules to apply either to specific IP addresses or to any address if you want to allow global access.
- Also add TCP port 443 (HTTPS) if you want to enable web browser access to Cerberus admin dashboard.
- Click Ok to save the new firewall rules for SSL traffic.
- Restart the Cerberus FTP services for changes to take effect.
And that’s it! Your Cerberus FTP server is now ready to accept encrypted SSL/TLS connections from FTP clients over FTPS protocol.
Step 4 – Configure FTP Client for FTPS
For users to actually leverage the FTPS encryption, you also need to configure the FTP client settings:
On Windows:
- Open the default Windows FTP client.
- Click on File > Site Manager.
- Choose your FTP site and click Edit.
- Go to Security tab.
- Select FTPS Implicit or FTPS Explicit based on the port configured in Cerberus.
- Enable Secure authentication.
- Save the changes.
On FileZilla:
- Open FileZilla and access Site Manager.
- Edit your FTP site.
- Go to Transfer Settings tab.
- Enable Encryption mode under FTP over TLS settings.
- Select the Implicit or Explicit option.
- Save the changes.
That’s it! Users can now connect using FTPS and benefit from SSL encryption.
Verifying Successful SSL Installation
To verify that you have successfully installed and configured SSL on Cerberus FTP server, check for these indicators:
- The Cerberus services start without any SSL binding errors.
- The chosen ports like 990, 900 allow SSL network traffic on the server firewall.
- Users can connect via FTPS protocol and see the SSL lock icon in clients.
- Trying to access plain FTP prompts for secure FTPS upgrade.
- FTPS connections encrypt traffic as seen in packet inspection.
- No SSL certificate warnings or errors are shown in FTP client.
Seeing these signs confirm that your SSL certificate is correctly installed and FTPS encryption is working as expected.
Renewing Expired SSL Certificates
SSL certificates have an expiration date set by the issuing certificate authority, usually valid for 1-3 years. Once an SSL certificate expires, you need to renew SSL certificate to maintain secure FTPS access.
Follow these steps to renew expired certificates on Cerberus FTP:
- Purchase and generate a renewed SSL certificate for your domain from the CA.
- Install the new renewed certificate on the server by importing it in the certificates store.
- In Cerberus Configuration, re-bind the new certificate to the FTP ports to replace the expired cert.
- Restart the Cerberus services for changes to take effect.
- Verify FTPS connections now use the new renewed certificate without any expiration errors.
That’s all there is to it! You can renew expired certificates seamlessly without disrupting your FTPS services.
Troubleshooting Common SSL Issues
When installing SSL for the first time, you may run into some common problems and errors. Here are some troubleshooting tips for the frequently seen SSL issues:
SSL Binding Error in Cerberus
If you see SSL binding errors in Cerberus FTP, make sure that:
- The SSL certificate files are properly installed on the server.
- You added both the certificate (.crt) and private key (.key) to the personal store.
- The FTP user account has permissions to access the certificate store paths.
- You selected the correct SSL certificate for binding.
- The SSL certificate matches the domain name configured for your FTP server.
FTP Client Certificate Warnings
If your FTP client shows security certificate warnings/errors, try these steps:
- Verify that the SSL binding is done correctly in Cerberus using the right certificate.
- Check if your FTP client is able to validate and trust the root and intermediate certificates of the installed SSL cert.
- Your firewall is not blocking the secure FTPS port connections.
- Update the FTP client to the latest version to see if the SSL trust issues are resolved.
No SSL Encryption Seen
If you don’t see actual SSL encryption being used during data transfer even after FTPS setup, ensure that:
- You enabled explicit or implicit FTP over SSL/TLS settings on the FTP client.
- The correct encryption protocols and ciphers are chosen in Cerberus SSL configuration.
- Active FTP mode is being used for FTPS. SSL over passive mode may not work.
- There are no SSL/TLS version mismatches between the client and Cerberus SSL configurations.
With these troubleshooting tips, you should be able to debug and resolve the most common SSL problems when installing certificates on Cerberus FTP server.
Conclusion on Install SSL Certificate on Cerberus FTP Server
Installing SSL certificates allows you to enable secure FTPS connections on the Cerberus FTP server. It encrypts all FTP traffic and adds an extra layer of security for your file transfers and remote user access.
The entire installation process involves purchasing a valid SSL certificate, installing the cert on your server, binding it in Cerberus FTP, configuring supporting firewall rules, and updating FTP client settings. Once configured correctly, both administrators and users can benefit from the encrypted FTPS protocol.
As you approach SSL certificate renewals, make sure to replace the expiring certs proactively to prevent any disruption of services. Also troubleshoot any SSL installation issues as outlined above.
Following the steps given in this comprehensive guide will help you set up FTP over SSL easily on your Cerberus FTP server. Just remember to use strong encryption ciphers and keep your TLS settings up-to-date at all times.
Frequently Asked Questions
Here are some common questions users have about installing SSL certificates on the Cerberus FTP server:
Do I need a separate IP address for FTPS?
No, you can use the same IP address of your regular FTP server to configure FTPS. Just make sure to open the SSL port numbers on the firewall.
What is the difference between implicit and explicit FTPS?
Implicit FTPS uses port 990 and initiates SSL handshake before username/password authentication. Explicit FTPS uses port 900 and performs authentication first before establishing SSL.
Can I use a wildcard SSL certificate?
Yes, a wildcard SSL certificate for *.yourdomain.com can be installed on the Cerberus server to encrypt both the main domain and any subdomains.
Does FTPS work in passive mode?
FTPS is best used in active mode. Passive mode connections may fail or have issues establishing SSL encryption.
Is FTPS compatible with root certificates?
Yes, root CA certificates can be installed on the Cerberus server to validate client certificates for two-way authentication.
Can I use an existing IIS SSL certificate?
If the IIS server is on the same machine as Cerberus, you can bind the existing IIS SSL cert to enable FTPS.
What are the most secure TLS versions for FTPS?
TLS 1.2 and TLS 1.3 are considered the most secure TLS protocols currently. Avoid using outdated versions like SSL 3.0 or TLS 1.0.
How do I purchase and renew SSL certificates?
You need to purchase SSL certificates validated for your domain from CAs like Comodo, DigiCert, GlobalSign, etc. They provide options to renew and manage the certificates as well.
