Exporting an SSL Certificate from IIS to use in FileZilla FTP Server

FileZilla is a free, open source FTP
server (there is also a client) with SSL/TLS support.

I wanted to use my real SSL Certificate that I had for my website to secure the communication
to my FTP Server and couldn't find any instructions on how to do so. After a little
searching and some trial and error this is the solution I have come up with, I hope
someone finds this useful.

The real certificate was set up and installed in IIS6, so the first step is to export
the cert from IIS. The Directory Security tab in the properties section of your website
in IIS has a button labelled "Server Certificate" which will launch the Web Server
Certificate wizard. Once the wizard launches, click next and choose the option "Export
the current certificate to a .pfx file:

Enter the name and the path of the file and click next. Choose a password to encrypt
the exported file with and click next, then finish.

The program I used to convert the certificate is called XCA and
can be downloaded from SourceForge.
Once you have XCA installed launch the application, and under the certificates tab
select "Import PKCS#12" and browse to the .pfx file that was exported from IIS:

It will prompt you for the password to decrypt the .pfx file and you will need to
use the password chosen when you exported it from IIS. In the next dialog, chose "import
all".
You should now see an entry under the keys tab named "unnamed" and an entry under
the certificates for your imported certificate.

Now we are going to export the Key file and certificate file required by FileZilla.
To export the key select the "unnamed" key and chose export, check off option to Encrypt
the key with a password, the format will be PEM:

Then export the certificate in the PEM format also:

The final step is to configure FileZilla to use your key and certificate. Browse to
the key and certificate files and enter the password you used to encrypt your key:

FileZilla will now use your real SSL Certificate and you will be able to secure your
FTP communications to your server!


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

22 Responses to “Exporting an SSL Certificate from IIS to use in FileZilla FTP Server”

  1. test

  2. Hey you know that theSSLstore.com is running a special on VeriSign Secure Site Pro with EV for only $899. I’ve just received an email from them.
    They are not publishing this offer on their site, so, use promo code VSSPEV02 to redeem.
    The link to redeem is http://www.thesslstore.com/VSSPEV/

  3. Hey that's wonderful blog post.. I learned something new from this..
    Thanks..

  4. Hello.. I was looking for the same.. I got the step but was stuck at one place and this blog has solved it.. Thanks..

  5. sweetssl

  6. sdfsd

  7. asdasdasdasd

  8. Sfdfsdf

  9. Anthony Selby Says:

    It still says the server is unknown because godaddy isnt knownrn

  10. Most likely the client computer doesn’t have Godaddy’s root certificate authority as a trusted CA. You should be able to include the whole chain the certificate file. Godaddy should supply the intermediary ca’s in a file gd_bundle.crt when you buy your cert from them.

  11. I did all that, but FileZilla Server couldn’t load the key. What did I do wrong?

  12. Are there any error messages in Filezilla’s log file?

  13. Instead of exporting the key and certificate separately as PEM, try exporting the certificate to the format “PEM Cert + key”. Use this file for both the Key and Certificate fields in the FileZilla settings and leave the password blank. This seems to work for me.

  14. You must clear “Encrypt the key with the password”, It should be fine :)u00a0

  15. Are there any error messages in FileZilla’s log file?

  16. I am useing ftp on 2008 r2 this helps to filezilla server but I need it to be applied to client fizilla. yet nothing is working. I tried to use putty by adding into crt but i get error. couldn’t load private key (file does not begin with openSSH key header). so Is there any way to have crt to have openSSH key. So i can use putty to convert it to ppk?

  17. Wmainhardt Says:

    I installed XCA but I can’t click on Import PKCS#12 (or any other item) because they are all grayed out.

  18. You have to create/open an XCA database first.

  19. Ron Michael Says:

    FYI, the latest versions of XCA (.9 as of today) are in some ways very different from the instructions described above. u00a0In fact XCA no longer appears to let you export a private key. u00a0I had to download an older version (.6) to get this to work.n

  20. It does let you export a key, from the ‘Private Keys’ tab.

  21. I converted a GoDaddy certificate using XCA and used it in FileZilla server, but FTP client (WinSCP) still gets the warning: “The server’s certificate is not known….Unable to get local issuer certificate. The error occured at a depth of 1 in the certificate chain.”

    I have tried to export “PEM with certificate chain”, “PEM all certificates”…, still get the same warning. Please help.

  22. I have configured ftps filezilla server with self sign certificate. I want to import CA’s sign certificate for this server.
    I already have signed  ssl certificate for web server (https) and anothrer signed certificate for Code signing for java.

    Can I use one of this certificate for the filezilla server ?
    If not how can I generate CSR to get new certificate for ftps filezilla server.

Leave a Reply

You must be logged in to post a comment.