Based on past usage I went ahead and put my vote in for using FileZilla. Luckily I'm the only vote that matters so we're moving forward with that. FileZilla is even kind enough to make use of its own self-signed SSL certificate generator which makes things super easy. Problem is the client has a different outlook and believes that only VeriSign is to be trusted for certificates since they've heard their name before.
So here's the deal, FileZilla's SSL configuration requires two things: a private key file and the actual certificate. VeriSign's process works with a certificate request which is something that FileZilla never exposes to the user. It generates a key automatically, links a request to that key and then creates a finalized certificate out of it without ever storing the request as a separate file. Great.
Thinking there has to be a way to work around this I start tinkering with openssl generation. Combing the interwebs there is actually a very neat way of doing this using OpenSSL (Linux or Windows). Using the following commands you can generate the key file and a request file:
openssl genrsa -out host.key 2048
openssl req -new -nodes -key host.key -out host.csr
One thing to note with the second command, towards the end of the questionnaire sequence OpenSSL will ask you for a password and an alt business name. Just hit enter and leave those blank as VeriSign doesn't appreciate all your extra work.
To verify that VeriSign will accept your CSR go here: https://ssl-tools.verisign.com/checker/
So what we've done so far is create a key file (to be used later in FileZilla configuration) as well as a CSR (to be sent to VeriSign to create a certificate). Go through the ordering process at the VeriSign site and paste your new CSR when it asks you. In return, VeriSign should send you a certificate that can be used with the key you generated with OpenSSL.
FileZilla parses the key and certificate based on the header and footer lines so you can put the key and the certificate in one file to condense things and FileZilla will figure out the rest. Create a new text file somewhere, call it FileZilla_SSL.cer, and then open it for editing. Copy and paste the key file generated from OpenSSL above first, then paste the certificate VeriSign sent you directly beneath it. Save the file and close it.
Still with me? Alright so the next step is to simply point FileZilla at the FileZilla_SSL.cer file you just made in the SSL/TLS settings menu of the management interface. If you had previously set it up to use a self-signed certificate things should work exactly the same save for any clients connecting needing to trust the new certificate if you don't have the proper root certificates installed. Done.
So there you have it, VeriSign certificates in FileZilla.
Summary:
- Use OpenSSL to generate a key file and a CSR (see commands above).
- Send contents of CSR file to VeriSign and receive a certificate of maximum trustiness back.
- Paste OpenSSL key + VeriSign cert into a new file and configure FileZilla to use this file.
- Profit
it is difficult because many people feel the same and will only trust a site with an ssl they have heard of. i personally went for a verisign certificate as the logo is one i have seen before on well trusted sucessful sites.
ReplyDeletethanks for the support and information.