How-to-simply...

Issue a Self-Signed FTPS Certificate for IIS in PowerShell

  • 1 $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=ServerName Root CA" `
    -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 4096 `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeyUsageProperty Sign `
    -KeyUsage CertSign `
    -NotAfter (Get-Date).AddYears(10)
  • 2 New-SelfSignedCertificate -Type Custom `
    -Subject "CN=ServerName FTP" `
    -KeyExportPolicy Exportable `
    -DnsName "ftp.hostname.lan", "192.168.200.21" `
    -HashAlgorithm sha256
    -KeyLength 2048 `
    -KeyUsage "KeyEncipherment","DigitalSignature" `
    -NotAfter (Get-Date).AddYears(10)
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -Signer $cert
  • 3 lftp -e "debug 10; set ssl:verify-certificate/ce:rt:th:um:bp:ri:nt yes ; open FtpUser@ftp.hostname.lan:21"
  • 4 vim ~/.netrc
    machine ftp.hostname.lan
    login FtpUser
    password *****
  • 5 mkdir ~/.lftp
    echo -e 'set ssl:ca-file "/etc/ssl/certs/lftp-cert-bundle.crt"\nset ssl:check-hostname yes\nset ssl:verify-certificate yes\nset ftp:ssl-protect-data yes\nset ftp:ssl-protect-list yes\nset ftp:ssl-force on\n# Use IPv4 only\nset dns:order "inet"' >> ~/.lftp/rc
    chmod 644 /etc/ssl/certs/lftp-cert-bundle.crt
  • N lftp-cert-bundle.crt contains Base64 encoded self signed cert exported from mmc -> Certificates (Local Computer) / Personal / Certificates
    In IIS settings, set the same self-signed certificate in both FTP site settings and in server root.

References