SSH Server Key ≠ FTPS (SSL/TLS) Server Certificate

From time to time our users ask how to use their X.509 (SSL/TLS) certificate for SFTP.

The one-line answer is: it’s not possible. But let’s dig into the topic and explain why, and above all how to implement server certificate and keys correctly.

First of all it is important to identify which protocol we intend to use, and what are its peculiarities:

  • FTP: this is not encrypted, therefore no certificate not key applies to it
  • FTPS: implicit SSL/TLS, therefore X.509 SSL/TLS certificates apply
  • FTPES: explicit SSL/TLS, therefore X.509 SSL/TLS certificates apply
  • SFTP: it’s a subsystem of SSH, therefore it’ll use a SSH Server Key, not a certificate

The main difference is that a X.509 (SSL/TLS) certificate contains much more information than a SSH Server Key. It contains the organization name, email, location, host name (and more), and – above all – it can be either self-signed or generated by a trusted Certification Authority (like Thawte, Comodo, and the like). This can only be used for SSL/TLS, therefore only for FTPS and FTPES.

An SSH Server Key instead is a bare-bone RSA key pair. You can generate it yourself using the internal key generator in the Configuration Manager, or use third party tools like PuTTYgen (for example) and then import it as Server!’s SSH Server Key.

For the sake of completeness of information, it is also important to say that – theoretically – it is possible to extract the RSA key pair from a X.509 certificate, and use such key pair as SSH Server Key. But we honestly don’t see why someone should go through such hassle, just to end up with the same key pair he would be able to generate internally, stripped of all the meaningful information contained inside the original X.509 certificate.

Print Friendly
Bookmark the permalink.

Comments are closed