Thursday, April 7, 2011

FileZilla and Verisign SSL Certificates

Been awhile and I've got a lot of backlogged posts to make but here's an easy one to start with. We recently began work on a project that will require FTPS file transfer from a remote location. It will be pretty low usage and not need a lot of storage or performance. Fair enough, that should be easy to do with built in functionality and I've set up plenty of servers in our test environment doing just that. One problem, the "server" that was spec'd for use as the FTPS server is running -wait for it-........Windows 7 Home Premium. I'm guessing the client just recently upgraded from Windows ME.

Based on past usage I went ahead and put my vote in for using FileZilla. Luckily I'm the only vote that matters so we're moving forward with that. FileZilla is even kind enough to make use of its own self-signed SSL certificate generator which makes things super easy. Problem is the client has a different outlook and believes that only VeriSign is to be trusted for certificates since they've heard their name before.

So here's the deal, FileZilla's SSL configuration requires two things: a private key file and the actual certificate. VeriSign's process works with a certificate request which is something that FileZilla never exposes to the user. It generates a key automatically, links a request to that key and then creates a finalized certificate out of it without ever storing the request as a separate file. Great.

Thinking there has to be a way to work around this I start tinkering with openssl generation. Combing the interwebs there is actually a very neat way of doing this using OpenSSL (Linux or Windows). Using the following commands you can generate the key file and a request file:

openssl genrsa -out host.key 2048
openssl req -new -nodes -key host.key -out host.csr

One thing to note with the second command, towards the end of the questionnaire sequence OpenSSL will ask you for a password and an alt business name. Just hit enter and leave those blank as VeriSign doesn't appreciate all your extra work.

To verify that VeriSign will accept your CSR go here: https://ssl-tools.verisign.com/checker/

So what we've done so far is create a key file (to be used later in FileZilla configuration) as well as a CSR (to be sent to VeriSign to create a certificate). Go through the ordering process at the VeriSign site and paste your new CSR when it asks you. In return, VeriSign should send you a certificate that can be used with the key you generated with OpenSSL.

FileZilla parses the key and certificate based on the header and footer lines so you can put the key and the certificate in one file to condense things and FileZilla will figure out the rest. Create a new text file somewhere, call it FileZilla_SSL.cer, and then open it for editing. Copy and paste the key file generated from OpenSSL above first, then paste the certificate VeriSign sent you directly beneath it. Save the file and close it.

Still with me? Alright so the next step is to simply point FileZilla at the FileZilla_SSL.cer file you just made in the SSL/TLS settings menu of the management interface. If you had previously set it up to use a self-signed certificate things should work exactly the same save for any clients connecting needing to trust the new certificate if you don't have the proper root certificates installed. Done.

So there you have it, VeriSign certificates in FileZilla.
Summary:
  1. Use OpenSSL to generate a key file and a CSR (see commands above).
  2. Send contents of CSR file to VeriSign and receive a certificate of maximum trustiness back.
  3. Paste OpenSSL key + VeriSign cert into a new file and configure FileZilla to use this file.
  4. Profit