Cerberus can support ECDSA OR SSH-RSA keys, but not both at the same time. If you enable ECDSA, Cerberus will no longer accept SSH-RSA keys. This should be fine with modern clients, but if you have old clients connecting to you, they may no longer be able to connect. Also note that if a client needs both kinds at the same time (which we've seen a couple times), we don't support that.
If you can get your network device to use SSH-RSA keys, then you wouldn't need to go through the process below as it's hard to know if whether doing this might cut someone else off.
If you want to go the route of creating a new cert, the instructions below show you how to generate a certificate in ECDSA algorithm. This means that you will need to redo your current certificate and key with your CA and install it into Cerberus. The following are notes on the steps you will need to do.
In order to use ECDSA, the server's private key must be one of the named curves supported by OpenSSL. Here are some ways to generate a valid EC private key and create a Certificate Signing Request (CSR) for your Certificate Authority (CA).
NOTE: Using ECDSA will affect all connections to the server; older software may not be able to connect (although that really should be a signal that those clients should be updated).
You can use online tools to generate the private key and generate a CSR, but we do not recommend this as you really want to keep the private key local and secure at all times if possible. If that's not a concern, you can find tools like DigiCert's that will do the job for you; that said, make sure you use a reputable source as they will have access to your private key (hopefully they don't store it). Be sure to download and securely store a copy.
Digicert has some good instructions for generating CSRs with the Microsoft Management Console, but the process is very complicated and a little opaque. And you'll have to export the private key so Cerberus can use it.
The preferred way to do this is with OpenSSL (supported by almost every platform out there including Windows, Linux & Mac). To install on Windows, you can view installers at the OpenSSL Binary Wiki page or go to Shining Light Productions page (also listed on the Wiki); or most installations, you need Win64 - the Light (drastically smaller download) version will be fine (either 1.1.1 or 1.0.2).
In order for an Ecliptic Curve to be useful, both sides need to know what curve to use. This is only possible when a standard curve is selected, so choose one of the named curves:
openssl ecparam -list_curves
Each curve has pros & cons, but consider NIST guidance on key length. A minimum of 256 bits is good (384 is considered acceptable by the NSA for Top-Secret). The R1 curves are over a Prime field (often shown as ECDSA_PXYZ); while the K1 curves are Koblitz curves (used in Bitcoin for example); so far CAs seem to support the R1 Prime Field type more.
In the example below, we use the NIST/SECG secp256r1 (also known as ECDSA_P256, and just to be more confusing, OpenSSL calls it prime256v1 from ANSI X9.62 vs everywhere else using the RFC 5480 names; don't worry prime256v1 = secp256r1) which should be secure until at least 2030 (when signed by a CA, as of Aug 2020 they will only be valid for a year anyway) when paired with a secure symmetric algorithm like AES-256 & hash like SHA-256. You could also use NIST/SECG secp384r1 (also known as ECDSA_P384) if your CA supports it.
Now, let's generate an unencrypted private key:
openssl ecparam -name secp256r1 -genkey -noout -out ecdsa_p256_key.pem
Now let's generate the CSR that we can send to a CA for signing:
openssl req -new -sha256 -key ecdsa_p256_key.pem -out ecdsa_p256_csr.pem
Fill in the details about your location and most importantly the Common Name. Your CA may also allow you to specify additional Subject Alternative Names (SAN) depending on the type of certificate you request.
If you want to review the CSR before sending to the CA, you can use:
openssl asn1parse -in ecdsa_p256_csr.pem
Copy the contents of ecdsa_p256_csr.pem and provide that to your CA for signing and you should get back an ECDSA certificate.
NOTE: If your organization requires private keys to be encrypted:
openssl ec -in ecdsa_p256_key.pem -out ecdsa_p256_key_encrypted.pem -aes256
provide a password then delete ecdsa_p256_key.pem. Remember you'll need to enable the private key password feature in Cerberus and enter this password.
When the CA responds with your signed certificate, you can use that in Cerberus along with your private key; ECDSA will now be the key used for all encrypted protocols.
In Cerberus, navigate to 'Server Manager' > 'Security' > 'Server Key Pair'
Point the 'Certificate Path' field to the certificate file received from your CA
Point the 'Private Key Path' field to the private key file created in the CSR process. If you encrypted the key with a password, don't forget to click the 'Needs Key Password' box and provide the password entered when you created the key.
Press 'Verify' to ensure your certificate and private key files match each other
Press 'Update' to save.
OPTIONAL for users of Cerberus 12.4.0 and above ONLY: Replacing your SSH Key Pair
If you are on a release of Cerberus that is 12.4.0 and higher, when you replace your SSL certificate Cerberus will NOT replace your SSH Key Pair. The SSH Key Pair is designed to remain static so that changes to the SSL certificate do not require users connecting to SFTP to recache the server public key. However, if you switch from an SSH-RSA cert to an ECDSA cert, you may want to replace your SSH Key Pair so that clients that support only ECSDA can connect to your Cerberus server. To replace your SSH Key Pair, follow these instruction exactly as written:
- Close the user interface
- STOP the Cerberus service using 'services.msc'
- In Windows Explorer, navigate to C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates
- Rename or Delete the following two files: 'ssh_server_private_key.pem' and 'ssh_server_public_key.pem'
- Run Notepad 'As Administrator'
- Open this file in Notepad: C:\ProgramData\Cerberus LLC\Cerberus FTP Server\settings.xml
- REMOVE these two lines in settings.xml
<privateKeyFile>C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\ssh_server_private_key.pem</privateKeyFile>
<publicKeyFile>C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates\ssh_server_public_key.pem</publicKeyFile>
- SAVE settings.xml
- START the Cerberus service using 'services.msc'
Cerberus will create a new SSH Key Pair based off the ECDSA SSL Certificate you just installed
Please sign in to leave a comment.