Configuring vsFTPd to use TLS

A typical FTP session, will send login information unencrypted. It is a fairly simple matter to configure vsftpd to use SSL/TLS and encrypt connections. You can either create a self-signed certificate for this purpose, or use an existing third-party issued certificate.

Generate a self-signed certificate

Firstly, we generate the private key (in this case, 2048 bits):

openssl genrsa -out /etc/pki/tls/private/ 2048

Make a directory for the CSRs:

mkdir /etc/pki/tls/csrs

Next, we use the private key to generate a certificate signing request (CSR):

openssl req -new -key /etc/pki/tls/private/ -out /etc/pki/tls/csrs/ -sha1

You will be asked to provide information about your organization (e.g. Country, State, Name, etc). Keep in mind that the location information should pertain to your organization not your server.

Finally, we can generate a self-signed X.509 certificate, valid for 1 year:

openssl x509 -req -days 365 -in -signkey -out

Alternatively, this can be done in one step:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/ -out /etc/pki/tls/certs/

Once you have created your private key and certificate, don’t forget to set the correct permissions (see below).

Prepare a certificate from a third-party

For vsftpd to be able to use your certificate, you must combine the private key and certificate. You may also append other relevant certificates in a chain.

If you have your certificate stored in /etc/pki/tls/certs/
And a second certificate to chain at /etc/pki/tls/certs/sub.class1.server.startcom.pem

You will do the following to chain them together:

cat /etc/pki/tls/certs/ > /etc/pki/tls/certs/
cat /etc/pki/tls/certs/sub.class1.server.startcom.pem >> /etc/pki/tls/certs/

You can add additional certificates to the chain by repeating the previous line, and substituting the appropriate certificate. For example, to include the StartCom certificate:

cat /etc/pki/tls/certs/startcom.pem >> /etc/pki/tls/certs/

Note that we are appending the certificates, not overwriting the contents of the file. Typically, you will have to include the certificate bundle that you receive from your CA.

Setting Permissions

Once you have your certificate you should set the file ownership to root, and make it readable only by root:

chown root:root
chmod 600

This is especially important if you use an unencrypted certificate – only root should have access to the file!

vsFTPd configuration

Open the vsftpd configuration file (/etc/vsftpd/vsftpd.conf) in your preferred editor

Add or modify the following settings:


This will point vsftpd to your certificate and private key, set the protocol to TLS, and allow non-encrypted logins if the client does not support (or opts not to use) encrypted logins.

Setting up FileZilla to use FTP over SSL/TLS

FTPS, that is FTP over SSL/TLS (not the same as SFTP), can be configured either implicitly (FTPS) or explicitly (FTPES). For both, you must prepend the protocol to the hostname. The explicit version connects switches to an encrypted mode only once the correct command (AUTH TLS) is issued, while the implicit mode uses an encrypted connection from the start. Implicit SSL often uses a port other than 21 (990).

To use explicit FTP, you would provide the hostname as follows: FTPES://

On the first connection, FileZilla will inform you that the certificate is unknown, and ask if you wish to trust the certificate and proceed. You can set FileZilla to remember that you have trusted the certificate in future.

One final note, an SSL certificate is issued for a specific ‘common name’ (i.e. fully qualified domain name) however, in terms of its ability to encrypt data, it will work on any domain (as long as the matching private key is provided). On a server hosting multiple domains, it may be permissible to use a single certificate to encrypt traffic for all domains over FTP – at very least, it does work. (FileZilla will show that the certificate was issued for a specific domain, but it does not appear to raise any additional warnings if the domains do not match, and certainly allows the connection if you decide to trust the certificate).

By cyberx86

Just a random guy who dabbles with assorted technologies yet works in a completely unrelated field.

Leave a comment

Your email address will not be published. Required fields are marked *