About Certificate Signing Requests
The first step in requesting a certificate from a Certificate Authority (CA) usually requires creating what is called a Certificate Signing Request (CSR). There are several tools available to help with creating a CSR, but Cerberus FTP Server includes an easy-to-use CSR generation tool that you can use to easily create a CSR and private key for your server.
Creating a Certificate Signing Request: Step-by-Step Guides
Select your release of Cerberus:
Cerberus 13.1.0 and beyond:
Cerberus FTP Server includes an easy-to-use CSR form accessed from the Server Manager / Security / General panel in the TLS Server Key Pair section as shown in the screenshot below. This will generate a private key file and CSR file for you.
Fill in the certificate details (all fields except email require a value). The new form is shown below:
The CSR form offers additional Key Type algorithms – options include: RSA, DSA, ECDSA, EdDSA 25519, and EdDSA 448.
The Key Length options depend on which Key Type is selected; where supported, various lengths can be selected based on the organization’s security requirements. The EdDSA options have a fixed length and therefore have no selection option.
Depending on the Key Type, a number of Signing Algorithm options are available; older options have been labeled with the “(Legacy)” tag to indicate that extra care should be taken if these options are selected. The EdDSA options have a fixed length and therefore have no selection option.
Administrators can also set a password on the created Private key. This value is not stored by Cerberus at this stage; Administrators should securely store the password as they do other passwords as it cannot be recovered if forgotten. Once the Certificate Signing Authority signs the CSR and returns a valid certificate, the password will be needed to use the certificate in Cerberus.
Finally, administrators can check the “Download the CSR after creation” to automatically get a copy of the CSR on their local machine. A copy is always stored on the server as well and that location is listed on the form. Please note only the CSR is downloaded. The private key file is saved to C:/ProgramData/Cerberus LLC/Cerberus FTP Server/certificates and is available in that folder. If you are installing a new certificate in Cerberus based off this CSR, you will also need to point Cerberus to the new .key file created when you saved the CSR.
Prior to 13.1.0:
Cerberus FTP Server includes an easy-to-use CSR wizard that will generate a private key file and CSR file for you. You can start the CSR Wizard by opening the Tools menu on the Cerberus desktop interface and selecting the Generate a CSR menu item. Please note this option is not available on the browser based Web Administration Console.
The CSR process generally involves the following steps:
- Generate a CSR file and a private key file using the Cerberus CSR Dialog. The CSR file contains your public key.
- Submit the CSR file to your preferred CA. Make sure you keep the private key file.
- The CA will take your CSR and generate a trusted SSL certificate from it.
- Download the trusted SSL certificate from the CA, and assign it to Cerberus by filling in the path to the key in the 'Certificate Path' field in Server Manager > Security.
- Assign your Private Key to Cerberus by filling in the path to the key in the 'Private Key Path' field in Server Manager > Security.
- Download the intermediate certificates file from the CA (sometimes called a CA bundle file), and assign it as the CA File on the Security page.
Fill in all of the required fields for the CSR and then press the Generate button. After you select the Generate button, a directory selection dialog box will appear to allow you to specify a directory to save the private key and certificate signing request files.
Submitting your CSR to a Certificate Authority
You will submit the CSR file to your CA and keep the private key file. Once your CA has approved your CSR they will issue you a signed public certificate file. This signed public certificate file from your CA and the private key file, created during your certificate signing request, together represent your server's public and private key pair.
The CA will usually provide several different format options for the signed public certificate. The preferred format is a PEM-formatted certificate (the same format Apache web server uses). PEM is also called a Base64 encoded DER certificate. You can tell if a certificate is in this format by opening it in a text editor, and looking for the beginning and ending lines “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“.
Assigning your Certificate and Private Key in Cerberus FTP Server
The final step involves assigning the signed public certificate file and private key file as your public key pair on the Security page of the Server Manager.
- Select Server Manager from the main menu.
- Select the Security tab.
- Under the Server Key Pair group, Click the file selection button next to the Certificate edit control.
- A file open dialog will appear that will allow you to select the public certificate provided by your certificate authority.
- Under the Server Key Pair group, Click the file selection button next to the Private Key edit control.
- A file open dialog will appear that will allow you to select the server’s private key. This file was generated when you first created your CSR.
- Most CAs provide a CA bundle file that contains all of the intermediate CA certificates leading up to your signed certificate. If your CA provides a CA bundle file, download and assigns that file to the CA File field.