Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
generate.png 56.9 kB 1 25-Oct-2018 04:31 Ben Spink
png
generate_button.png 38.0 kB 1 25-Oct-2018 04:31 Ben Spink
png
import.png 71.1 kB 1 25-Oct-2018 04:31 Ben Spink
png
sign.png 75.6 kB 1 25-Oct-2018 04:31 Ben Spink

This page (revision-14) was last changed on 11-Apr-2019 14:00 by Ada Csaba

This page was created on 25-Oct-2018 04:31 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
Getting a valid certificate is easy with CrushFTP. (Old [Portecle] Guide, or [Command Line Guide|SSL_CLI])
Getting a valid certificate is easy with CrushFTP. (Old [Portecle] Guide, or [Command Line Guide|SSL_CLI])\\
At line 3 added 2 lines
*[IIS|IISExport] - If you already have a certificate in IIS, you can export that certificate as a .PFX file and use that certificate directly in CrushFTP. [*Export IIS Certificate*|IISExport]\\
At line 10 changed one line
Starting from scratch, go to your Preferences, Encryption, SSL tab. Click 'Generate Now' on the Step 1 section.\\
Starting from scratch, go to your __Preferences->Encryption->SSL__ tab. Click 'Generate Now' on the Step 1 section.\\
At line 34 changed one line
On most Operating Systems Java ships crippled by default due to US export laws. Its extremely annoying, but you must manually copy a couple files into your java install to allow CrushFTP to use strong cryptography keys (almost all keys these days.)\\
The final step is to restart the HTTPS server item, on Preferences->[IP/servers|IP Servers], this step is __mandatory__, in order to actually load the new certificate. Alternatively, can restart the CrushFTP service/daemon itself.
----
!!5.)
__OBSOLETE, only for Java 8 and older:__ On most Operating Systems Java ships crippled by default due to US export laws. Its extremely annoying, but you must manually copy a couple files into your java install to allow CrushFTP to use strong cryptography keys (almost all keys these days.)\\
At line 54 added 30 lines
----
!!More reading to help understand the whole convoluted process of SSL.
Every single SSL app uses the same sort of structure for SSL. So every SSL server's certs are interchangeable, they just sometimes package them in different ways that have other benefits.
The process:
Before anything, a private key is created that has the "CN" attribute referencing your domain name. CN=common name. There is a bunch of other "fluff" that describes you as the company too, but the single critical element is the CN. From a private key, you can generate the (C)ertificate (S)ighning (R)equest. This describes your private key in such a way that a certificate authority (CA) can vouch that you are who you say you are, and they sign the CSR and sent you the cert (CRT) file (also known as the CA reply file). This CRT is worthless without the private key. It literally points back at that specific key's unique signature, and is 100% worthless without that private key. So that is the entire process.
Now all cert authorities also do a little more in-between...they don't sign your cert with their own super super super secret CA key, they instead sign with an intermediate certificate. The structure is something like this:
CA key (super super super secret)
CA root (signed by their super super super secret)
CA intermediate (signed by their root)
your key (signed by their intermediate)
Everyone in the world trusts the CA key for say 10 years...and they also trust keys that it has signed. Its the "chain" of trust.
Now servers like Apache, and IIS may ask you for your private key, and the signed key. (The CSR is only useful to get the CRT, then its garbage. Don't save it thinking you have something useful...) They likely have a list of most server's intermediate and root certs, and they build a chain internally for you and use your keys.
CrushFTP and other servers use a "keystore" to hold the chain of keys, and these have a way to link the keys together. CrushFTP will accept either a JavaKeyStore (JKS) or a PFX, P12, (PKCS12) formatted keystore. A keystore is like a folder of keys, but with a password on the folder of keys to secure them.
So a keystore needs a private key in it, plus the root cert, plus the intermediate cert, and finally your signed cert.
So going from apache individual files to a keystore is a documented process of a few steps. You basically are importing the files into a PKCS12 keystore. Then CrushFTP can use that kesytore file directly.
A JKS keystore for practical purposes works the same as a PFX file. (Not 100% the same, but for what you care about, it is.)
Here is a link for converting Apache files into a PKCS12 file. [Openssl_key_convert]
Version Date Modified Size Author Changes ... Change note
14 11-Apr-2019 14:00 6.531 kB Ada Csaba to previous
13 11-Apr-2019 13:57 6.588 kB Ada Csaba to previous | to last
12 11-Apr-2019 13:56 6.523 kB Ada Csaba to previous | to last
11 11-Apr-2019 13:52 6.519 kB Ada Csaba to previous | to last
10 11-Apr-2019 13:52 6.521 kB Ada Csaba to previous | to last
9 11-Apr-2019 13:50 6.295 kB Ada Csaba to previous | to last
8 11-Apr-2019 13:49 6.295 kB Ada Csaba to previous | to last
7 26-Oct-2018 05:07 6.241 kB Ben Spink to previous | to last
6 26-Oct-2018 05:07 6.229 kB Ben Spink to previous | to last
5 26-Oct-2018 05:06 6.203 kB Ben Spink to previous | to last
4 25-Oct-2018 04:31 6.256 kB Ben Spink to previous | to last
3 25-Oct-2018 04:31 6.041 kB Ben Spink to previous | to last
2 25-Oct-2018 04:31 3.304 kB Ben Spink to previous | to last
1 25-Oct-2018 04:31 3.239 kB Ben Spink to last
« This page (revision-14) was last changed on 11-Apr-2019 14:00 by Ada Csaba
G’day (anonymous guest)
CrushFTP9 | What's New
JSPWiki