Why can't I use an IIS-generated certificate for loading access logs over SSL(FTPS)?


Article ID: 167497


Updated On:


ProxySG Software - SGOS


You cannot use an IIS-generated self-signed certificate to load access logs over SSL because the certificate that IIS creates is not complete.  As a security device, the ProxySG appliance will not accept an incomplete certificate.
Workaround: Create a self-signed certificate using OpenSSL and import it into IIS. Here are the steps:
  1. Generate the private key on the Linux/Unix/Cygwin host: > openssl genrsa -des3 -out ftpvm.key 1024.
  2. Generate a CSR: > openssl req -new -key ftpvm.key -out ftpvm.csr
  3. Remove Passphrase from Key. One side-effect of the pass-phrased private key is that ftpvm will ask for the pass-phrase each time the FTP server is started.: > openssl rsa -in ftpvm.key.org-out ftpvm.key
  4. Generating a Self-Signed Certificate: > openssl x509 -req -days 365 -in ftpvm.csr -signkey ftpvm.key -out ftpvm.crt
  5. With the above key material create a .pfx file using converter at: https://www.sslshopper.com/ssl-converter.html
  6.  Import the certificate into IIS 7.5: >IIS manager > Machine name > IIS > Server Certificates > import
  7. For the FTP site, set the FTP SSL Settings to use this imported cert.
General observations:
  • The cert CN name MUST match the primary FTP server name in the access log client configuration.
  • This same certificate, as created above, must be imported into CA certificate list,  and put into browser trusted in the ProxySG.
For more information see: